23542300x80000000000000001287184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:40.803{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF9C9AB6F30CBC673A4AE5404B2B61F,SHA256=A84C593D6F4C1743E681528B5D54649631E6A55E44F9F14DF8BE393DF88ABA1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:40.268{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF2654A46F874FBDF8EB99D21C2C3A4,SHA256=77B65A7B574F0A1FD3D8A1CB12667A175C14E012096FFAB43FB186405781F5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:41.818{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05FB7B2534D052CF559537B9E7FC8EFF,SHA256=4A69046393AB6D606918FCA0CA440CAADBBBC7C2819148FDDB9A40ABD7F73A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:41.867{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=9B582128822764EBD365D131E1C273DD,SHA256=401E01A52ADB41AEDBB8D99FF369DE7CB193D1CF8A8DC48F9BCD272297D53F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:41.451{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D257051A1EF5CE7C79396A76DE86FC79,SHA256=4514A0BDF37840377E71E01A3C6C4E93C7F8AEE2A8D9152D779F1A449291C966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:41.450{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=ACA12B0E8EE8DF4E1C8DF3D9DD2EC191,SHA256=4E4AB3144FCE43B6A3D97237235DF9B256E0074035EFB638F50B12792CB96722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:41.283{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0E0EDDD606DC5BD10C0A11033C51F6,SHA256=27C712C6F7A58CE98A2E8A308AA42BF9D6CD9ACD328DB1547937D431A6B53BB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:38.435{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61516-false10.0.1.12-8000- 23542300x80000000000000001287187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:42.818{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C26CFD56F9BA2E59E7AB854242A8F5,SHA256=4A053F75BA42DAD55B32A9A66B31CDA1F17F39D5E147794A07DADEFD466EE21A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:42.966{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8256041DDCE01DAE9385CF4F789C0548,SHA256=9F780F0623DB966164AB5C7B7BE95AE08BEFC9054F96631A7EE63690543DA93C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:42.966{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=550D691E9CAAA7B3319B0E036389C042,SHA256=2D257EAA546982FFC4A47E4759EC2E2863ADF49C251674517EA8457838364A61,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:41.420{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-65156-false127.0.0.1-53domain 23542300x80000000000000001381187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:42.298{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28578E74A3C41E6735DFE6A18226E2F,SHA256=E81B04E4F56152D0CEDEC441453C049F817DA43F1AD6FE44B28D63F573552CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:43.820{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD3C9CB7AA624219CF4F0CE23737F36,SHA256=BCB189A957600FAB6FE668E606CE69FF7D890B978165E9482F8A17EDC4FE4B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:43.881{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=FF6DA4ABF6176DA39229992F8634EC23,SHA256=AABE1A89120A9EEC7DA155398C8868F3AF5A02C0A348C6EC64F5CB72B1C7D14B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:42.935{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51251-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001381193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:42.935{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51251-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001381192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:41.425{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:0:ffff:ffff:fffe-61232-true2001:7fe:0:0:0:0:0:53i.root-servers.net53domain 23542300x80000000000000001381191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:43.313{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E781FA5C12545BFBE430EE5E005A69EB,SHA256=329521018D648B56B8868BDA442E7B74DFAC6B72C1D09816CFA9169DAC7B3137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:44.826{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6115F56A2692B072B099DF775DC39ABB,SHA256=40D8E9CC43000E27FBD71E4463E84F70131074023CE68552DF761DCA5403F606,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:44.172{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:44.328{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=547DD0FE134E0CAD438485FB2588CA4D,SHA256=8EFC1E416592B7B912DE96B33EAAFE267392FEB692B8115637CCD885B9D5D21E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:44.244{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5705MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:44.195{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E6925DCEE623453B60DA877B9B7FA6DA,SHA256=3F1BDFCE7068F1600DC39C4C1B339A62414E86340FCE7300D87E1CFA0066C6D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:45.827{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C34F7FC8A196F92751BD52C6FB6E6C,SHA256=C2A3CE29101C5A469029077FBFB209692649591AA90F13A12923BFD2AF2410E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:45.329{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BADF705D9A2C0829DD215A409A12C6E,SHA256=E18CD3026C7A57B8C34155605CDA859492CD39DD4389FABFE20A3FA1488E337D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:45.249{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5706MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:46.874{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:46.827{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7362825290F656337736061EF55B1FC,SHA256=A4D8E965AE5DB5BEFA5C89CD8913F174DBE0F718E39181B0BDE86CF017A67C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:46.347{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DF98A969400654F7E1EA2278C9B45A,SHA256=88405CE73E2C3C10109325D966BBD1F13DF6180E634796D675D4F817ABFA052B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:47.842{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD633E037143A7496A3A3263D614758,SHA256=F67DDF97B9695E05F26798DE51E6A0F54D0329EEBA25861686A98EB9539FD333,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:47.007{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-24607-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:46.959{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-24436-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:47.397{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:47.382{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889C6FBDE901717C59F577A333383427,SHA256=ACFBF5AADB9F2D6265041C6AE2F965770477E66C03DECB7F7B9FA55CDC849BBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:43.600{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61517-false10.0.1.12-8000- 23542300x80000000000000001381201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:47.215{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1388MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:47.150{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8256041DDCE01DAE9385CF4F789C0548,SHA256=9F780F0623DB966164AB5C7B7BE95AE08BEFC9054F96631A7EE63690543DA93C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:48.842{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A909A388B9F4279E8354ECA8F9A22704,SHA256=BCEB78B7580D0113B38B6FC5CC2ADE55D05405A46BD631092A13046EE718C5C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:48.228{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-33143-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:48.465{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB996A899781C3E751747CFFAB29CA3C,SHA256=CFA3BF1F829DC411E14C3778984702E6ECC38B0C39ACE239B619BA60239612FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:48.396{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B7F31AEAE4ADDEEAF1086BEE6C3713,SHA256=9EF773365380FBAFB967B1F4B6EA7A941C9388BC999EECC6A4DDC7FD5306024D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:45.210{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61518-false10.0.1.12-8089- 23542300x80000000000000001381206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:48.229{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1389MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:49.858{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B93DCD428606AD819860621C741FC55,SHA256=C7E9569EFE2BA0733161FBF7336AC19248676417FB0F5EEBB1D723C4D671492A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:49.218{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51254-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:48.372{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51253-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001381211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:49.596{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=810B3D5810D5F856471855100D6543B5,SHA256=0339840549CB93CE87C83D2B3FD9EF5CA53CFCE2751021789CD46723B81E76EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:49.411{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB3DC75CCC16534CB3E579066F878FF,SHA256=30A4F9186C68B5D65AC3E79E7EE5305B2800CC85C7B63C3B69FAEE6FF77258C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:50.905{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF51DBED3FBBEAA5E818B2BB2EF23355,SHA256=52E1840E8FBBD9D84AD158CB6E7E19011CF3F7DD0492CEC6D1FB5ED9B9D31B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:50.680{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8FB7684A374C438D964DEF4279E8FD3,SHA256=DC0EEBA8FB0C0912576D8472A9DC17F898F1FA670147B6F88242CCE474185DB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:49.490{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-41033-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:50.428{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC9630C29D66C312F8D512D8EA18744,SHA256=D8A7A83DE47EA4F8BEFC8DFF284239194DEE5760A332E261D02DCDA41422E6A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:51.921{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EADDD59A7CFC0CA3F9AC7AC2169545D,SHA256=42FC627C423C07A794A8E5E0BA2560B1005520C17E111DF841AF9F722CBE8F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:51.795{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44CEBEFC0904FBAD5DE6EC82F99E7BF8,SHA256=11931A4E3E870AAFAACE8BCF4127E78DDE6D7EC1DCE82263FAEA8CCB1F840897,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:50.612{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-48970-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:51.446{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A973DCFB9988C3C870154B4FB6001E6B,SHA256=717332086D2BAB8EA823263D2B60333E532B785A106136B941C92B134162665E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:52.936{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79DF3EAF9401696837A86884965704DC,SHA256=F0696987FF47DD3BE5FE8D80E05A8450248AF4029AC15BCC24CD68FF61A43AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:52.994{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B64695C7DB7FE3DEE2F43E3421374080,SHA256=B5C52A144E93E86D6818AA9549139D435C559B4CB794FBE110FDEFF5C0EC621C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:52.463{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230AAFDEB3F32409DBDFC6945307181A,SHA256=9C937D6715980FDE1C3AF2DC66530FD8074EF6CE4A63F3A1818017574AF4BD8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:53.952{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC7E40F3DABB75427E58ECEF24C1EFD,SHA256=4775EBBF46EDF26ADD5AB3AA6E5EFF575063D90EAA5EFE705CD1FD42BD671A18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:52.874{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-5115-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:51.707{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-56851-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:53.464{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34F5B6B14A577BAD4042B1970488453,SHA256=0186F491A563A5506F720823E54012E3D83545126FB846924BD89167C40C4E98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:49.491{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61519-false10.0.1.12-8000- 23542300x80000000000000001287206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:54.967{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F564C437287A61647421F25E048FD550,SHA256=A392F8988A6F5D6A9187F438011DBDAA45700F2DFB1DAB83FFD7ED058BD7D58B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:54.009{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-13178-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:54.479{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01B9BFE5B2FB96E3AAE3699508441B8,SHA256=4FDE3C682B459C8F83725660541A192D0D0A6B2161FE4B26486D9EB2A8FF5B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:54.079{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14F9B883BF46693F9F5D04F628FBD299,SHA256=A9D5022DAB9DF5468A45B154AFD2D64D53DA721F2A927D9FB57F5B0D418A7BE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:55.115{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-20794-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:55.493{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BF24639CD9B371B412B5C74397876F,SHA256=60513DABA99E3136CCB727355DC25ECE474198FE06BB0B767155C88BBE78FF2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:55.244{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89C27B1EE9FA68F304B3288A830CBC8F,SHA256=A354F9875C341DFD01B8FDB8710E41EFAB8AED26A61C0426B500B8513876BEA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:56.255{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28838-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:55.236{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51255-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:56.561{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A228D248A6D3FD0E28C70B43A6B049E,SHA256=A384B8E74748A3CF97C047411B13B671A39680704F6E06A6D7742B8CFEFB75F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:56.186{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C96D5B3CEB097D9022E60526B94D7E2,SHA256=FE14EA18DBDA48F4E7F7646CB88F8D94B751088C9A417BBE084D1DF05C391709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:56.342{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8317C067EB8CB8E2C1DAD0DDB1025C26,SHA256=F23E8B60DEF2C2FDA17DB981F248C9A8EBE1D8E7ACE045D89533A1C40B1CCADC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:57.521{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261521-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001381237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:57.366{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-36005-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:57.623{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2793E80678E6DA4E6858C4E81EF5B908,SHA256=89AA2D576C18ACC861DD189A217FA991D35CBB009409E12551D9CFCA30BCF911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:57.511{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E2E498AFB31A67129D4CFDAA6F084E6,SHA256=BB5A8D7C6BDE1290069ABE297551492EEAF5D325349AC4A249342E2BF7DDBD86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:57.511{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5C1A256362A4D8148E5378119682B1B,SHA256=99254CACC7E8AF7AF38896FA908AADA7CF9C85959DD23BB7E9A674DFA791CADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:57.417{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4F1E080FAE5071B8E767D12704B0FF,SHA256=F94CECC9E35C5FD6F59E1004A8CDBA82BAB111BF370126448380E84821A69413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:57.460{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAEA243D8337A92F09E860553FD251B6,SHA256=086A78EE95C85BCC006466356CEDDBBF31033B4C3F014775A5ADD8B184CEB009,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:54.276{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27499-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001381243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:58.474{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-43782-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:57.589{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-46486-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:57.551{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-46383-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:58.659{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=092846111CEE750D9256775B9E6C43A2,SHA256=E7CDFC66602E19582B58C804DE7AFA42A6FAF7B12E732306C33A21261370F014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:58.641{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D46732DF4DBCB65B4B901FE5F206078,SHA256=6D776819B1D5C8A8DF83DDB684FF45CE7A0D13C030CBC299C7F6E1694FD0D599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:58.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E2E498AFB31A67129D4CFDAA6F084E6,SHA256=BB5A8D7C6BDE1290069ABE297551492EEAF5D325349AC4A249342E2BF7DDBD86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:58.433{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B59BBDC44731C9F0D077E8F8787460BB,SHA256=FE874CC8E4CA2FD1EB8575E2FAE3F60BDD232D013D40092B39CB9E0099A4A11F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:54.850{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61521-false10.0.1.14-49672- 354300x80000000000000001287213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:54.584{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61520-false10.0.1.12-8000- 354300x80000000000000001287212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:54.301{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27625-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001381246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:58.721{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-50915-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:59.741{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60924AD7A45FDF3A2E82750BEC3FBE46,SHA256=950ADE8E120D41DA928BADFCC79B47F014198680B91C824B611B58D0DDDF7E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:59.741{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D37372FC5DCF81B5B6F6FB852E22A5E,SHA256=D1389EEE6AAEE0273DB0F2A4F68AD7495733D6133ADBC5035785B4A1BB9146D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:59.746{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D5C7CF37C0FCBD00CE394686481F593,SHA256=4BB887FBF97DC1E68BDA675BE05A3D0016F4B4A2B0B7B173495DDA8751C799A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:59.449{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4789AA6C1A40C663AD2A6B3878035C4,SHA256=02E30177DB87ACCB44987FEBAC67DC721C3E84BCF81309D41F63C0DC8AB8C14E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:00.973{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EB75B5657CD026A730B7297C2ABB1A6,SHA256=1DD369A145CC61EC72C0A6BC47EDC05729BCF57C467029B67C34CF400CD751B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:59.835{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-55353-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:04:59.672{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-51711-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:00.773{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C65ECC7F07C862F07CC29E2DD59450E0,SHA256=D840463814386C43D0E923C2AC6C93E6B0078FA1945C1602C5BF361E904D6262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:00.464{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29248A40C8FF7242598ABA31807D69B4,SHA256=3CFBC5B19842657A84B76775485F6AA5F70802E4AB85558FA92FB51A344E2945,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:56.999{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-40812-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:55.882{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-35186-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001381252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:00.785{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-59338-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:01.788{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB31A26365594BA97B8C1821629BDA12,SHA256=56FF7EFCDB06E05C089FD5835AB14A0527D102D633DC34AD5C3D86ACC6AE0555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:01.480{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187780E659B4BCEB53390764D22B4162,SHA256=4115AB99A0043ED4F54C8BD6C809796CEA3FB344D40DC1EEF6482F0EF040F354,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:58.117{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46816-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:01.058{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=800F6124E8FFB1DB75CABB4FC5180C9B,SHA256=ED0ECE23774207F3CABA32F995810A4D0090BC776CBA5FDEBD5F244C12E93838,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:01.985{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-8236-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:01.027{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51256-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:01.001{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-59837-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:02.819{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09669A7D6B8B5842ED558DA11F73A0B,SHA256=D2850B1D3BCADBB5E50C39DF388388EEBEC0312EC16357DB93FC0ABF29366B88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:02.480{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F45F0E46A62E194C49D4DA6EFC8ABB2,SHA256=0FFFFF0CC2B8CA1E33EE9E39DB71086AEA7665A11844C4F76E01FAB5A945CC3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:04:59.430{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-53446-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:02.088{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C38DE5019540CE0868B1D5FAAE9EAD62,SHA256=11CAB5C24CE7C0D70B662E5F58999D1CB2FAFE29A7AB65ACC3060BBE494EAA1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:02.152{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B27F1E4FC6133B9DE981FE5B922F835,SHA256=1506D03D0639F16A1C4AE30811A50D61FD378716501E16D8543277D56D8A0235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:03.542{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5D241BEACA83149986A6717CE58B9B,SHA256=25E3603DFB4A672379A4CDC8CAF15C1FEB681EFB705AA6286983F14C8BCCE5E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:03.115{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-15917-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:02.146{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-5343-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:03.819{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9951558DA2D79B0F1ED75B309F7E3DA3,SHA256=C46521FBFCEDBEFCD4599883F7FBD0EB7D27F89B54D20A0DCDEACAD071A8D440,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001381268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001381267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05193dc8) 13241300x80000000000000001381266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b43f-0x8a6a8dd0) 13241300x80000000000000001381265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b447-0xec2ef5d0) 13241300x80000000000000001381264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b450-0x4df35dd0) 13241300x80000000000000001381263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001381262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05193dc8) 13241300x80000000000000001381261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b43f-0x8a6a8dd0) 13241300x80000000000000001381260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b447-0xec2ef5d0) 13241300x80000000000000001381259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:05:03.587{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b450-0x4df35dd0) 23542300x80000000000000001381258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:03.203{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF2C01CD11ADED2DE9ABB22F728DF122,SHA256=00B2CDE43442153B4D9229AF95D49DCF045C549423E3C8CB43B6774AADD26BFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:00.503{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61522-false10.0.1.12-8000- 23542300x80000000000000001287228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:03.308{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=478ACF8DA4A21753A1DD94C435E45E88,SHA256=3251F894D2445B4C0E67A57F8405854AEE16EA1DD30FD276AA8E52A8BDF97EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:04.683{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDC6BD6B0F9351D2B75C957D682CD776,SHA256=621CD4D5A9D0730E3CEF3C445F75CBB8D58FE8BC688E35472458D8AEAD8196F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:04.368{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-13953-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:04.363{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-24130-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:03.245{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-9678-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:04.855{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C06FD9E7F84E6DC55AF51D8A003EF2,SHA256=98BF4F8585554B60E49B3C7DAD2B37F177FF6D335CEEE6AFAB371906BA656226,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:00.562{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-58987-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:04.434{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B7CC1DF6B6D52B4C732DBC33A583034,SHA256=A48E3D272F1B77011E70579CCAA34B27B584DE2C792EE13B7F792A2E0DBC0158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:04.437{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62A3B9511DFFD3C1F110E897516133AB,SHA256=792E6EB9B86C376A5A5728124FEBF584C7990E17AA0F2ED92106196AF62159E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:05.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E2EAB11787682133071B100E0D94CB9,SHA256=889448FFB909C8130F047790C3531F72D3672919E6A998AE3ABD0F4618121F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:05.901{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBFB96A0534260C6208334D2FE61C50D,SHA256=6EAFF1948AE43246185BB73C1CE03A573E474EA72FE8A776BBF4D86B244D23E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:05.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C192F1A62AFCB5910055CB7F580BC3C2,SHA256=6F7DCDE8C3C1A884AFC5DF6B2A25978FF483A0EB7CAF58B9BD7A5AB5CD39A65B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:01.711{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-5881-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:05.517{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=182E7D074D0396F646195ADBC8977855,SHA256=2CD7E3E3A6E172C5AF908D33B7C843988E3FFA22B3A86819C6A2F9C7B2D70A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:06.916{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4575769FE14F0434604C64EF60D82631,SHA256=91A209F75AD4FF81D6B84E92AB8E5123C650C5CA12AA9D994146BDEB0AC22F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:06.714{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C45F662A34A00A1FE2DDA991429A5927,SHA256=9DF068BF726C25A8D83732F93DC1D87553EB8D1DCB16F9961CD21DDA07840304,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:02.869{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-11380-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:06.616{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F704E7348B0DC7E5C365675597ED313,SHA256=C1D9B0490C332010590474C49D0EE7442384DA12AEF3FB3DD541C199C09BCE12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:05.660{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-32625-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:05.445{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-18297-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:07.934{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5987358800C5414CBD159785892D9703,SHA256=375EE608196951B3700366CC4B44D32F7D49CD2187833411680718434CDF41A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:07.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7416F28D9E00C8524A604068CA676A54,SHA256=E0F4B642BB6822658A335AAB8A8E51A366086502DD9D12BFA80E5DDD3D56727F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:07.042{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A847654B4CEF4102045E6FCFAE35FB,SHA256=093531EA59B8822E06FEA150BE320DDAC829DC4070DBB5F0279081278BD38087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:07.768{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=845268B7076F8753EC130FA092B51C05,SHA256=90D2890CD0508F743E0F106B12CAF77B2B20AE3694D0EB7C483D039E596C23C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:06.528{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-22555-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:06.108{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51257-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:08.951{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A414120CC9D7BB730492CC15AD4BC86A,SHA256=5D9EA932126527966C14EA7B572B9B5F1979FC0B0F03910D165983150A954012,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:03.977{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-16991-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:08.042{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F7181975C970B5506EE76D1BBD335C,SHA256=828EA4B26AB141074144FEC7B5E848437286817D9565B99099E17D4C3F3FF5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:08.883{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D95B65A718C6AACD9399C22EC377493A,SHA256=254B1E07F8C160A2260CF9942CAA69F870D0FB1BCC70C3A2BFC6581519446B4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:06.933{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-41350-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:09.966{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F16F0E9FE153D0FBF65FACD96B5D053,SHA256=CE1AE7E4EC151B50604A74AAB63C5AD1A606BD68D0B79BEDAD286E5BD65D53A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:08.211{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-49877-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:07.643{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-26805-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001287246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:06.271{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-28114-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:05.130{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22747-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:09.167{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7EBA3C73A517A9A6E23A39B82AE4DA7,SHA256=019549E0835644DB53E9B55E825CC0A65C70534B725DDB4EC1C213AEDAF284DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:09.058{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D2D803D75A35D640E71245827B5821,SHA256=7C826DCECF0FA0F29289FBF2C2DE12ECA01922A605EAD05A336083444A78F1A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.981{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19B9021A9EA903EF6D865CC1C8FB99E,SHA256=D64C2599E317BBC3A7308B22AFAC6F1FEB97B908A4D0B4C9AD9929CE35D31237,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:06.519{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61523-false10.0.1.12-8000- 10341000x80000000000000001287251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:10.339{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:10.339{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:10.339{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:10.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FDCB8941EE9A9DF26BDED7CBD7042F8,SHA256=00D020C504878761C83F1112398893FADBFC544E11D6C603E5C32C2986861BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:10.058{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E01837893B08D2CC42BCDB82559726,SHA256=FA9E388770DB564C0ACF4FFC52B91AECCA4F8DE901CB74FDB67D0F5580E2DBE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.812{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DAC6-6152-1A28-00000000FD01}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.812{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DAC6-6152-1A28-00000000FD01}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.812{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DAC6-6152-1A28-00000000FD01}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.813{5EBD8912-DAC6-6152-1A28-00000000FD01}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.729{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E7228B361DBDE5C84B9DC386EECB5C26,SHA256=7AFB33A6413B32C91D07E4F25B518928B7E0EC5579771AE9FF8EBDF0E9788D5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.313{5EBD8912-DAC6-6152-1928-00000000FD01}30207072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001381303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:09.365{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-57533-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:08.791{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-31155-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001381301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.135{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DAC6-6152-1928-00000000FD01}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.135{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.135{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.135{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.135{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.135{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DAC6-6152-1928-00000000FD01}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.135{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DAC6-6152-1928-00000000FD01}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.129{5EBD8912-DAC6-6152-1928-00000000FD01}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.013{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2FC184C1147CC3D472C90EDA32AD697,SHA256=10BBC35B6290257774FEC0EE60934614AC821EC7067831B78983EB7D727D7A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:11.995{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D95CE1B88CC139DE11BE3158D72D5E02,SHA256=6B0B5898EE3FED1F344A9A9F2FDB01C823FA42C591D5E5C8A61E9A107BB7DEB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:07.540{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-34668-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001287268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.652{69CF5F33-DAC7-6152-10A1-00000000FD01}19241972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.417{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3312A3E438770D71328B75B6CD84CAB,SHA256=3434A56B7ABF433D324699A49B8A630D8298DB5E0C5DF9762CC5C80C4C054F6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DAC7-6152-10A1-00000000FD01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DAC7-6152-10A1-00000000FD01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.371{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DAC7-6152-10A1-00000000FD01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.356{69CF5F33-DAC7-6152-10A1-00000000FD01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D6F6AB6BB37CF925BE123BB8FA7EB8,SHA256=EBD55E958B8C0B9E91385B9CC6FA301B4FA72046F77DE04F137033EF7068FDB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:11.023{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-39713-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.722{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-7100-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:10.184{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com40603-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:09.937{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-35642-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:11.096{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B26EABA7FFB1A560D0226A56C69C706E,SHA256=0746CEBAA86B673569159640727D3438E16506007BE9C2B64EF0168CDB43AA51,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:09.804{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46271-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:08.619{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-40276-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001287298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DAC8-6152-12A1-00000000FD01}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DAC8-6152-12A1-00000000FD01}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.714{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DAC8-6152-12A1-00000000FD01}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.700{69CF5F33-DAC8-6152-12A1-00000000FD01}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.652{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D45632EE4F9F2FCD3CCA81AFA0E5337,SHA256=719CF953CB9054C6AA41A93430EB8FFEDDBD2C7A000EFB9B7A7C596B8335919E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.355{69CF5F33-DAC8-6152-11A1-00000000FD01}29041012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.090{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DAC8-6152-11A1-00000000FD01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DAC8-6152-11A1-00000000FD01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DAC8-6152-11A1-00000000FD01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.043{69CF5F33-DAC8-6152-11A1-00000000FD01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB2D362B49AB4A5221CF4F07D2D1AEE,SHA256=FEDE7D85617D172D7C7E3DCA8DAAD2E2BB0AA41B0AC47DCA2950F7BB2C0E19DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.895{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DAC8-6152-1B28-00000000FD01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.895{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.895{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.895{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.895{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.895{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DAC8-6152-1B28-00000000FD01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.895{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DAC8-6152-1B28-00000000FD01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.896{5EBD8912-DAC8-6152-1B28-00000000FD01}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001381323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:11.867{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-14209-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:11.219{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51258-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.229{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72051C7FBDFDC120A4E1B2A8BE4651BA,SHA256=715233C99A42FDA89FE14AA11426C6BCF88E96E301725A1FF10E0E0226A4FAAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.857{69CF5F33-DAC9-6152-13A1-00000000FD01}26601500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.745{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=893B20B71A08CB999298EA4DBBFD048F,SHA256=900400AAB68A7E5A8950338EF2EDE281384C34B57C43609213FDDEEEC8E5CB2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865AF360BEFCFB07D16C7578CD391F39,SHA256=1E8C0E3057DE824517E74F39F83C8F94CA866008B07EA5051D930CF281D227B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DAC9-6152-13A1-00000000FD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DAC9-6152-13A1-00000000FD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.605{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DAC9-6152-13A1-00000000FD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.590{69CF5F33-DAC9-6152-13A1-00000000FD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001381343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.411{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DAC9-6152-1C28-00000000FD01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.411{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.411{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.411{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DAC9-6152-1C28-00000000FD01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.411{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.411{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.411{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DAC9-6152-1C28-00000000FD01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.412{5EBD8912-DAC9-6152-1C28-00000000FD01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.395{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7AED805BAEDB999F575997F6E674E61,SHA256=C11905C58845ECB7F3A0E5BC22A59E34898A72A9545607CF4C1F0BEAB9C2B685,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:12.121{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-43934-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001381333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.064{5EBD8912-DAC8-6152-1B28-00000000FD01}65846636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001381332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.011{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51499E8B746E30173B58779463990E1,SHA256=1AE033C62D9D58A358D53ECF3C7F7ABA8EE035C02027A4339BA171F330B83662,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DACA-6152-15A1-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DACA-6152-15A1-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DACA-6152-15A1-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.965{69CF5F33-DACA-6152-15A1-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:14.411{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86437961920D7B75D7D8ED2648AD3E52,SHA256=318F51D4EA120593B41E66DF196EEF7E0BDF56E349946F3E575D9351978E7050,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.023{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-22246-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:14.012{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3F291913A7AA2265F5264290D1415A,SHA256=FB8F9973C2B42FBF5AB87637803C05B65486BFBDF7085C294FAF5AFB5C80D805,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DACA-6152-14A1-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DACA-6152-14A1-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.292{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DACA-6152-14A1-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.277{69CF5F33-DACA-6152-14A1-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001287346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:15.199{69CF5F33-DACA-6152-15A1-00000000FD01}24083384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001287345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:11.056{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-52500-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FB8ADBB103CD40D32912B4C4EEF1FA,SHA256=1C393645AE6E3E34BD542D42AEFC214A6CD7C4F40789F09CD54095F9F64632E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.980{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3096FAF964270A56B73292B96CD2E258,SHA256=81799C5C84852BD8B57FA15A01E7D8E5B9CAA638CEABB3BCA8D5693143243627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:15.610{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE1B92849F085F52541CE52B872AE2A2,SHA256=D02325CA3FF984CC18FB76B66540493844AA81269024872D7F65DC3FD9C1CFAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:14.438{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-52999-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:14.109{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-29868-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:13.336{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-48622-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:15.030{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB0FD86F548CB76F84EC3DAE27A48ED,SHA256=5EC3AC74372AAEA40471598A7DA8D2F9D04EB4B87D74FFF257004CEBAD8953E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:16.120{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242628D39CBEEFC5300B0253E4532AF4,SHA256=7214642767A1FE6E0B4BD9991EFEA884E99C591817A54CF79D8977F924985FD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.794{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DACC-6152-1D28-00000000FD01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.794{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.794{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.794{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.794{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.794{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DACC-6152-1D28-00000000FD01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.794{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DACC-6152-1D28-00000000FD01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.794{5EBD8912-DACC-6152-1D28-00000000FD01}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.728{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3352C050B5D087D5798A83663E5249A5,SHA256=50EAFF2C7FA7BBD0377E053727CADBBA62E3C8D478DBAA21AED6533C381E4D33,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:15.192{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-37469-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.047{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3086A1429E49857FD32D29FE4F65071,SHA256=28E2EE4A531A3001063BD81819D7B0745C0C1D2C9853A45D46E4B95DACD53428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:16.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=929C31CEBEDEC0A8A7F0CFB06D7D4099,SHA256=AD720D35357E71F8AC899C005F3B4354BEF0F5067D76284D076C9BBEF21B0903,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:13.305{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-4804-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.503{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61524-false10.0.1.12-8000- 354300x80000000000000001287351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:12.186{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-58242-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:17.136{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED95F72B44E21CEA6C6F2AA1A480BE67,SHA256=F0D5FA7EEC371EAD309429E8868AEE7F4B52E36542070A5324850DFDAD09B319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:17.136{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2008441870CE2195A0EE9BCB39D6453,SHA256=BEB898A3E035E6EB5174DEFAFF02B55ED930C8A2AFDBD8908F4C9DEEB9F5B541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.763{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D23C1324AAB14646C696C494221756A9,SHA256=03DB7AE45B94039F76F4D8C5331043EE7FB615552082A17F1D51CA784D021351,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.630{5EBD8912-DACD-6152-1E28-00000000FD01}7001840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.477{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DACD-6152-1E28-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.477{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.477{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.477{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.477{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.477{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DACD-6152-1E28-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.477{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DACD-6152-1E28-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.478{5EBD8912-DACD-6152-1E28-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001381366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.502{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-45960-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:15.539{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57252-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.093{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D443F797BD020AF77206BB307F8A6FF1,SHA256=B207FF63ADC832A16B147130B970C71883CDADD94C1F46134610C9893016941F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.994{5EBD8912-DACC-6152-1D28-00000000FD01}70287024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:18.453{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6095B6D2DC0739A2B54D452E93CE7D3D,SHA256=CD1AC8518A39BF5FD386444689B519FC2C49F578395072F776A033C5D050AB0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:14.398{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10292-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:18.141{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89CAA0E32B075FB7036FF5279D36BADC,SHA256=DAB97E0D7A8D69204AC1F6D1270B87FA16D748890CDE3044857104CE7D5CD169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:18.927{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7F7AD0FFFBA2B75E5FE50B13B959357,SHA256=FEA99A17242459F4EAEFDAE77F737A1C7CA52A249CF47B28AAB0D5F3862F1A03,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.068{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51259-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:16.633{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-2520-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:18.131{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819DF42FF1C022A5987ECB0742CEE454,SHA256=52A7DE01996B12EE8D1A2AA63FB5807FEAEF0F598A2EC08E4F86BE6DFBC1895A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:19.976{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=566AB550A9D019E946E00ABDF6CD7E0A,SHA256=E5D791947FC0B485E9EA05A143A8F75D2F8DA6A53E8C12AD724CF48B562F9CF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:18.820{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10904-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:18.791{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-1547-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.737{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-6806-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:17.607{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-53097-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:19.145{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF85FB41E285EED895C4C4A2E72414A,SHA256=D77D54372ECC6354DC828294CB87DCE0C849493D5EB49AF8644AA95B003C62FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:19.657{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00F1EDA83BF3613C1154D82BDF202FF3,SHA256=760468ED759B7AC51FBE5984CACA53E696D3B98F7B22907677FFB7F879451FAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:15.568{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-15886-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001287358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:19.172{69CF5F33-7F27-614D-0B00-00000000FD01}6241444C:\Windows\system32\lsass.exe{69CF5F33-7F0C-614D-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001287357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:19.157{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F83E377F3AB23228AF14A5C80F38E9,SHA256=81BAFFCF7C2F3C2926D73A4E07FB26775B1E0BBC95C8E974E19CF3AE5725BB18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:19.920{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-10039-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:19.904{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-15183-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.160{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF81FADD6A68A0D588DA4C31D3ED060,SHA256=AFD126F8D80BAC15DD20815864217F1B60844017475FDF3F7A79E81998BE9802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:20.782{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A31BABA9C0F877E0271DF05B712F5E79,SHA256=C195925A139B387EA04D99C7FE12D079FA7D2779095C8FDE4137D169E5DD3EE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:16.912{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22086-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:20.157{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670E1DD1C8F614D87C9ED29FAB18824E,SHA256=37B4B28F0AE5C8A6C52297733B8391ECDC05EC57D1051BE1DD87752C3FB18AB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.091{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DAD0-6152-1F28-00000000FD01}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.091{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.091{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.091{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.091{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.091{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DAD0-6152-1F28-00000000FD01}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.091{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DAD0-6152-1F28-00000000FD01}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.092{5EBD8912-DAD0-6152-1F28-00000000FD01}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001381400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:20.198{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261525-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001381399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:21.161{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB53578B7A664B94159E3D62A2331A3,SHA256=C00EAD19B5F3EBD5B9C329E552886FECB2C08517A28D68B364DCFD699B65F1C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:21.860{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55E12DD91E4DFEA6B784BD5961304696,SHA256=F6A1B6F3628261002828C7CEF2285212A3C09E4A10737814F65155BF732721BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:18.033{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27616-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:17.527{69CF5F33-7F0C-614D-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61525-false10.0.1.14-445microsoft-ds 23542300x80000000000000001287364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:21.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA82AB095FE422AE45737B6B22F393F8,SHA256=602D796CE9DE978DC6577A8342E753E8E8B6A2CCDA4AA9E5B2A31B445DA5F137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:21.092{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BF82BF0AF6B3987CD15196ED0BE9478,SHA256=758625E3EB877F8B9169F99431DCAC4A188278056DCC41A455392BE2425E1AC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DAD2-6152-16A1-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DAD2-6152-16A1-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.594{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DAD2-6152-16A1-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.580{69CF5F33-DAD2-6152-16A1-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001287370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:19.153{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-32894-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:18.508{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61526-false10.0.1.12-8000- 23542300x80000000000000001287368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.188{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D294969C3E40D2BACED8F9408535D07,SHA256=7A8F4F6E2A78BD27C761E0853D2F100A9D8284A640E518663BC2D4CE9985A781,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:22.119{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-23426-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:21.049{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-17754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:21.001{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-18944-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:22.192{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B00249FF48E0CB9C8594AAAE801B9A6E,SHA256=6877B3E005A22D5A641F2F3836EB79BE236F7CD5DCAC6A598C6AC86CC0203468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:22.176{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0CF39F1B07280DAE6612E9D19BDF0B,SHA256=D575DF76DC19B6ACE0BBF005A00B0FFF2A4DED410020D694CDC3AD9F0AC31E91,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:20.283{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-38443-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:23.203{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A9DC8249CB26326F1879C3EC808031,SHA256=8DA3826C2D0BBF6B8014DB65199ECAAB7947EECAF77500D7ABC7445044AB3CC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:23.202{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-27528-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:23.034{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51260-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:22.189{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-25642-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:23.275{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72B9E4BF6C47EE433D527D0E49A610FC,SHA256=D3287BB4B3E80C09663AC0C7C92B55E5CACD344FB8E250E4DCC0B687BEB20B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:23.191{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8401AE5155B331640FEA8771E44308A7,SHA256=4F3248B289C8007E53A4200675CF8E1D80BF718805A98043AC48C165C8D2A3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:23.016{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47851C7D33AE47FC14B5B4D33147382F,SHA256=A129AFAB72CDDC9AB8BE5797326895DF7FCDE54412FEB1E42421A2BE3928A99B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:24.203{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2342692F3F1E56C34485F296C78A2121,SHA256=B5A28815DFB0886C582EF38354A946043F04AACB8960A6C7152766B7748B48FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:23.337{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-33243-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:24.424{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCB03E1C2C597983C1DFAB83D2ECE499,SHA256=B231BB912FD4275C7238576457E17FB7889FDF001FEE16401C8222683C8C4C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:24.205{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3965BABA4C6A1E4931EB8DA42EAA071,SHA256=1A7BBB7EFA236D524B70040C5AB10C31C0BA740C631A8547C9A73156D58815C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:24.141{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E223053224A83FC9B600893D69B3A13,SHA256=1732A98F00FC3D989860BBCF465A3DD277048B2FABFC747EC599B390A7E99FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:25.541{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83EB28C3F9CDB59202F761CCCF64557D,SHA256=C2DB29A760528FAA18420FC6A93E2C9FE94317DAC6E4C1235E9567228C387B9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:24.422{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-40856-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:24.301{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-31777-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:25.223{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167FEA9C6F361ACF3E67D7761A098761,SHA256=76E963CEDFFCA48EF2872A205EA72748E1051B3ED2274D749F877158A3DDC117,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:21.403{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44029-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:25.469{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28FF3F8F25499B183611995AEA08322B,SHA256=E131BA1A9769831A62591BC263669FBD808A4FA3A5CAAC81D1129115F2296129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:25.219{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1290A117A92A6C6D911054B51CC02EC,SHA256=C8693E1F4C279A1B10C27CFDDCCAFB8B2C50DDF1970668AB627B589ADE7A2F95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:26.531{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8A14315E3CA1162A454E1F7E4ECDF3B,SHA256=84FF9B4F40853F533D8BD4B2FC16F4F5B79D277028D3325DD7BFEB171581A1D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:22.608{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50278-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:26.235{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=457683D092DEAA0140CC7A8CCC696526,SHA256=A586FB2AB7027206FDE0A327986910405B9FDBD36C482B0F076DB3E169E9CF30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:26.621{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE738DDE42F21E29654FEB5415900C7A,SHA256=D5C865FC290EF4E9DEAFAFD6D1BF5EDF3FF9BEE623806FAA04766316B1D7527B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:25.605{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-48897-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:25.446{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-36179-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:26.241{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2990C03ACED3E8B736DF7CF0E358001,SHA256=F316DDDCB77351555EF5F50E0AC2F17101B8F67EF784E8885E6B2B23865C7EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:27.702{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92E04492E77D8B3AA1C3A37814C86FBB,SHA256=C731EEF9A9060D79F8BC64546BC40C03689BF72622A79B52B41D3845C66A095C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:26.859{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-57194-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:26.553{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-40621-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:27.271{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CB60D3985445863779368E1FDD691F,SHA256=FB500E3817CAD78578CC11656D4CE5FFD6C8077FC0C5DAB60228B4B48ECE0234,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:24.445{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61527-false10.0.1.12-8000- 354300x80000000000000001287397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:23.841{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-55952-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:27.625{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D571A1021BF841820CA75F1E11278E0,SHA256=00E5454EEA059DEA979F0EABED77DCB72E5283BB27FEDB74618AD5D7B70E54DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:27.250{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0739F557646A27CCBDFE52DD9130D25F,SHA256=A9A2DC7D9DB5BA40BDC842996C1875D3715C619B61A28573AB3BB121659789B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:28.719{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCE32A3ED40D0B1FA0C42F739A3537E4,SHA256=3525B3CB0C2590FC6B5A7404DD5E933DDB4B13671F1B2531E939A0F5DCEEE02C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:24.920{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-2767-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:28.266{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE376DF0EDFC8BF3DD35C54ECAE3FBF,SHA256=6A494DACD07FE1CA911CF124079A6B5EB340885207CD01C858BD06C379EB5C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:28.820{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1DF2DCFC0954E40372753489CFECEA8,SHA256=4B7EF813AF0B0F2E47773773441B11E04EE5AB59B27A9D0B179D3CEEEFC0C758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:28.302{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E078EADEDE56B9FA957C7D76CB2CA44D,SHA256=D3EC8D0E220CFE8952E830D25D29E3B007EA253922BF387C802F7178227F571D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:25.997{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8178-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:29.344{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4005CC7B8729BA85A19DE3A6BE9EBB20,SHA256=0618503FCEB933DA2D88E1DA52E7B1C40135AA6A80BDE37727308D0F1188B948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:29.901{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97F12EFDE4F6135D814BF57C97750648,SHA256=A8C106358367DD4538FE2ABD86ED570C2AD6BC436906ABEAC6827CD57558B019,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:28.726{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-48719-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:28.130{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51261-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:28.014{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-6388-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:27.629{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-44649-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:29.323{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80561F11EC2E1E861F9B151131E1793,SHA256=9D41678AFF4DD9E0F859202E4B7643586672AA1117CCDFEB3577C530A084C2FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:27.397{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-14176-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:30.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6C0739BAC0E966B46643878109A3A2,SHA256=0B5220DB3A9312317A56454BEE537918A0B41B88E1AD7D853DB72E4376EBBC01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:30.920{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F32A0B2EF75A38F7B971719BF800489E,SHA256=D233C98FCA69199F77EEDDAF55EEC20DF27F24EBDD7D3DC985C128E83B6B1220,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:29.148{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-13326-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:30.338{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF24B72A98C8A1CE21E6615EEFE94EE,SHA256=48C8BC3748515705C5C84EF072FE5E635D4ECD911187E3892533B1CBA044CCE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:30.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD9FFC5B1BF6204E261C11693A8FECCB,SHA256=A265CDEC2BDC908A92D44AE73C6D15470A3061A17F06904CF3DDBA439FC46E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:31.594{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4FC6D37EA36E77DBB0D47B1DE0F1D59,SHA256=3EEC01B0ED6FA803751E626DCED61D257348FAC26A3FE078431C3475C2E1DDF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:31.397{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-29258-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:30.926{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57293-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:30.280{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-21729-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:29.828{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-53104-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:31.353{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A52335B704491F019E1C36ABECF83F,SHA256=6C90BDD47E802D9AA37BF73C3A2956996B540953718D9EE92536B20624D84001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:31.328{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04411CFA37A47EBFEBA17AB61494E65D,SHA256=3ECFBD95F1DFFD4148F59B49858ABF21F5D7F663014021F560A6C1F5BF2DFC8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:29.745{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-25620-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:28.547{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20017-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:32.688{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B20BAEC6FA750B5498526134521FE25,SHA256=D249578DE6B3AE76EBB229F718E192F7BA68C3AA100061A2CA00767E77B90516,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:32.049{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-2837-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:32.368{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2E67381A67866A94308021BFE8F7A8,SHA256=CBD968993B95202CA48CF967CF76910965FB593E380C3D60C11EC0D6B8F9040F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:32.547{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B09B0A3FF14B53596AA13161C6E0867C,SHA256=564E6D546D30AE0F8B357807D5486BBD6A0B7AE35355AEAA7C6FD72F2505E750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:32.118{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F5A3B47AEFE6DAA2DD781514C11E4E1,SHA256=EE96E5F4A13238DE20661265A9B283B75F161D846DB41F9690FD7E550F7655AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:33.906{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6827F36A8992D1EDBDF41A6784A11D83,SHA256=F5472CF1EA701709AD78B6D13D5DD427EE1F2491CB0DCCE30FCEDCA98EEC63B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:33.860{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75DCCB34BF2ABE63ACB9F22F4315F37,SHA256=FDFA53C8448DD5C0AB8A6D3D8C17DE69082F78EB6517989D505C5D5566870A05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:32.641{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse116.203.147.165static.165.147.203.116.clients.your-server.de64485-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:32.531{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-37124-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:33.398{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552412019E80C470C411927F99E3C6FF,SHA256=A75E167E383F18382EE57B826C4D1C1D7515719141C6ABC946C34771AC839A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:33.198{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8C003E3F7A9E319F6AA61D629018539,SHA256=2D174DE1013E6FEF14C578D205C6EC55EB33EEEC75C6A7811B69E6B000D1680B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:34.985{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E30145166E4F51A38D774F19BBAA94D7,SHA256=F19410F60CE9554D534633703DC0C5CC75A9443701346319B66266F457C8E26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:34.860{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3EF072CBD244A59CB0677B8275972EB,SHA256=8EACF57E5D6C4ABAF2BF93890E8467D8D272D1F617A5C820352B39230518DDFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:33.126{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-6879-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:34.416{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE5E35360B9CB524FB04FE01F210E0A,SHA256=56B2B6DF851AC77B91DE918A533FDCDE363E8982BB35720E5C6440E5D12ED2E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:30.445{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61528-false10.0.1.12-8000- 23542300x80000000000000001381449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:34.297{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FDEFAC640A6AFF8471C4FD467B7B09B,SHA256=45F1956C5C7645480F87F775785CED938186073FC80E9A0C6D9C1DDA0C97BC5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:34.891{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-53120-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:34.210{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11005-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:34.107{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51262-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:33.710{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-44647-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:35.449{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0CE5BF934CA76C89F8A6923ADAE4583,SHA256=EFC7105C2B8C49C268E3E2E62180DAD32D65DF4E9C98652A191134C9C8E89FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:35.449{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378B3A409EAAA2B0DAEC6A36A2066284,SHA256=CBBF53BE59301F44354F08A0B7C67B5EC3ABDD7254D63D6F30F017E6EEA2C43F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:32.278{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-38478-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:31.179{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-32997-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001381493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.460{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-19478-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.028{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-1630-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:35.343{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-15187-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001381490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.748{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001381459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.532{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C655F3EDE1F7A92B39847268ECB09FB4,SHA256=F1BEEBC174FABDA4529FE3140B89635185432395CDDE7BF52AE0C9F6626B0E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:36.495{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB9D47CB1C72F0A657C04B291FCC258,SHA256=1AFF0DF562F37933700FDCCEEB700C0A2660D56EF508838001C79FF157A84E46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:33.441{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44263-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:36.344{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29EE9CCE30F809A8D3E127EB3244845D,SHA256=57E69E7868D0FB585FD59753685861118C61832144A133B396430DE7239C9599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:36.078{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E13739E0447AEFB89B44D35A9FA8930,SHA256=CA0AB3E51E064795DFD82741A08A4BFD73E1624440D5586291586D9084FB0FBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:37.163{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-9643-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:37.663{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E306EB336E99307041DC1D5240DF027,SHA256=DC0F84BD1C07719D0A07B34FE15F5E8E89C42F3BFE0E4A0DD5E33C6AA6BCD19E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:37.579{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A171D38B6D43255AD16D350192BDF2,SHA256=6FC79EA2D3850522FDF1E59EAE771D4F539EFE0B666316ABDDB41B7256946ECA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:34.716{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50536-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:37.424{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FBFB4103779A4DD0C5622F0F8BC4F47,SHA256=C8F90D7EE7BAAE7B047550B145E094F3163087C37BCE0FE0C0E2C540D4300F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:37.313{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A1C8A454B8647D93EABA595512C1D6,SHA256=B724E0E3383DBA9EFF794515D8253E5B4836ED0327A2B8653B76E3230344B1EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:38.674{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-28628-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:38.263{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-16395-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:37.558{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-24175-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:38.746{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27B621762ACC4BCB149F9ADE7406A27D,SHA256=BB1A2CF0F2B75B3A9D3C194901ABAAC6D1E7A3379EA1E4F21E8AD7B34EE5D3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:38.593{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1DF3C782EFFBE4F7FD5615890BE0F42,SHA256=D8C3119EEC54B26E7BC8407010585B78C9E1CAE3AA88C3CDC61C8A248D599E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:38.549{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A075DC62E877923F976DA9F5433FD01,SHA256=D7E17321463DB0E768F23CD5B768766FBDE0579F5B218382AB7BCFFF9B206557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:38.330{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94344A03E601A5B73B6D198169EAF538,SHA256=060112FC845932706FB1EA3095D338F6327F2BC6EECE23360C366435DC2705C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:39.460{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-24720-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:39.892{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3656E94E5ECB17B1D5DE8EFC42C8254,SHA256=7688C86484B39266B763E8D47BE2CBA20CAE6373A2EF47EE09BA8AF93C0A6886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:39.614{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4F92CB6160B7D6293FBFF9713128D4,SHA256=257773A9235298C7FB3811A2680493F73F7AC28DD40798FDE842552421262BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:39.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E3FD1C5EBE4041893090810731DE630,SHA256=63DA4AF385C4BDF8FFDC7525FC8588C75694CB23C28F231F57001A06078659C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:39.346{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3F6A4B3AC28A3EB2213CFDA6DF95DE,SHA256=873B7243591EEAC2DB9E14B0CFCAF264ABFF31CDBC986DC04555CF3A33494C10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:35.808{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56385-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:35.446{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61529-false10.0.1.12-8000- 23542300x80000000000000001381505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:40.630{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF79E967EAD578B0277A6C8065CA46F1,SHA256=FA27AC38A260EF433BAC41CDA6D58A38DBE1734C5A86CBACCC1647D6DCFB9E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:40.768{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ED7393BD4BCF1B800FF670DCDF5F944,SHA256=A9CBC987B4090747497EB8F7DD8B2A3FD8A8A56A8EC6E0C6664F5BC20A3125A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:40.361{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF8FD38E26ED9223661449468A6369C,SHA256=A189784E4E90AFA38D1D352426AA613CAB50103A18C958EEE28A196CBE4B647D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:36.936{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-2556-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001381511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:40.917{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-37416-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:40.636{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-32104-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:40.121{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51263-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:41.691{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA18AC3744C7D184A2A178092A2EFA76,SHA256=CF6DEED495585F2A88ED07E11B420415A93142080F8E024F752BB5778DB1D470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:41.377{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=973EDAF628F8995A2B795FBE11E9EDCE,SHA256=11322E634FFAE9FFDE26B7D0340023C9A74B73A54AD7952F476ED6D132EDB3A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:41.030{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AC2E798DC9142CAA74D4B48E2340B22,SHA256=D4F9E4E01493FB52C4DAC146215DABFF299D9062F2B259054037315798441A27,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:39.792{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-32902-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:42.056{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-42023-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:41.771{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-39699-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:42.709{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E9E9D84FA41F5645A2313859F7FDC5,SHA256=CFB08864F0CE259C11A086E4714A04B8AD88FC6331F32E939E2399CF0D04A028,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:38.062{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8142-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:42.393{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A61CBB8EEDC7AFC022313C384DE4C89,SHA256=D0337A057BAC6808B2BAC0C4B543ADFF2408EF7CA05AC95246959FAD94E95873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:42.259{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF1AF33F51FB2B3DC7AD8B8B859EADF3,SHA256=0136D14573ACC81FD050ADDDA7549F9F757504AD63B4C9DCEC9DF8A853A2815C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:42.049{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DE7E50DDB3CA28B851A36C8BD271D77,SHA256=0843828FA65738A6079A512F90C9A35679FDBF1E21AE6FF24113A5A55A9433BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:42.950{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51264-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001381519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:42.950{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51264-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001381518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:42.896{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-47158-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:43.727{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B214A63624436FED9BBF3BDFF79A05C,SHA256=533EDF42ECA3B2C6DB462D5867BE9FE1131390353E6CA498BA127AE22F9CC4F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:39.327{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-14475-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:43.408{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2822E73C716760035E89A1E44CC774E,SHA256=894FF4C2083D74BB0A032353667BC6B8CB4EB2F82ADF78F9ECA3C2D37380070E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:43.389{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8CC53D652C83401C3DC9734AF5203BC,SHA256=CC7EB007CE067E58EE37CCC38588840AC9CBA7703C455B9455F003D3540FD237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:43.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF0D1162BE6A45F15697AF365055EBAE,SHA256=1C11B0220C31172ABF844C7F5BA4D6FE396146740DDB1C3046AE43214E5FD922,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:43.285{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-46720-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:43.276{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse116.203.54.13static.13.54.203.116.clients.your-server.de58373-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:44.742{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC77CA59E81FEA3C685B2000C52174A,SHA256=CD5D65413E3FBCE8B69BD5A98526A8FB89BF4DA34F989CED10CAF81469050E93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:40.463{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61530-false10.0.1.12-8000- 354300x80000000000000001287444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:40.422{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-19216-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:44.440{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B69297A8DAA243D4CA81541C33BA52E,SHA256=C41FB24434A96564EEF82F66E0E3A5FC3BF55F399A7C6CACFD70A0EB974A7C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:44.458{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE0E57A4B00D8A2E751DEFB7FEF4A5E0,SHA256=1857D4BE041F1B03CB36ABE28D957D635E266B84A840C1B2A40A62EE3FF71499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:44.205{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E42AC5737DC4170785A6B8CA36332D42,SHA256=0738572390F232B82EF732CAA11EF139CF5BE223BEEA1AD87034B7625C4DB0AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:45.485{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-55606-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:45.154{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-4271-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:44.401{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-51188-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:44.070{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-55605-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:45.756{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57305888F75C4876DD524E82F7AC345F,SHA256=ACCF310838E3CAEBCAE4F9C778ECF29BFC854D85813CF06CE8A19B00BB2C31D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:45.771{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5706MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:45.582{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E726B1406AFD104A457297C132794AB8,SHA256=2689761A04C039931AC61DDFC44D192A004E4B769D2C0E5E2A5EB7CCD6F35C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:45.557{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21BB221C2C00A2E8D11326BBBF328E3B,SHA256=8687CEEC650A629B735E50B9B322EBCE581196850EBB5C126076DBB349E14798,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:46.576{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-59925-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:46.369{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-12314-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:46.079{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51265-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:46.787{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EDB7B6E9116560FBE061F0D9FAEE45,SHA256=51DD2AD2BC4B70238617FA07E94C5DD5C5711321149BB12F611CAC42F8BB6899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:46.896{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:46.785{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5707MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:46.612{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E5AE04C71AF2CA970E26757453B6F5,SHA256=8046B9D3D72B2F5D07DF572CD7FF8400429E6949670F35A94BF76F9396315DBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:46.640{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=114C49FA2B0720DC7A5A6526FA49D31B,SHA256=D4A7265840164364457986D0BD5C549F93A8E19DF3482A29F52B3C4AE2EABBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:47.823{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C85402521F63BDADAFADB8029F75BDE,SHA256=C82604BB1E63947BDA0BA6254F4953760A9D0E96B69EA25B3273B53401507570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:47.852{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F88CF325AFBD2EE4E4C614B325E47E50,SHA256=35C7CED1C07DAA856467453D79B60B291FC32A5CD9E5746FA400AC7AA68C5A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:47.724{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09B63628E3D49831FF98A80FB1CB2720,SHA256=805F05EC4EC70A8ED76D232D963C6A9472158BF459CE784091DCCEDFFE72C53C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:47.424{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:44.527{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-25081-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:47.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=317C4E108A10DC49EBB8BE42B65AC738,SHA256=2110F635DEF0BF171D59E4D4665F7D144E94D323B0844FF83AE4277E5D33CF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:48.867{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB977AC7C24AD72076D2FD110FA32E54,SHA256=E2409187ECC7FE78BA908769BD5000B3A6C4697CD06C449B1696F83AD9A59B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.855{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D680E9E81EBB14AFAA2E4BF414FEFD,SHA256=D1413F855133370B5038A8F18346A2AFC6CA92B5587DC2A6A9A41123F18BFFCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.758{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1389MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:47.651{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-5044-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:47.537{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-20339-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001287454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:48.320{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5DAE63EFE8A80F58BEA7112D01005A9,SHA256=0AFD1E53126698A869AA51E831BB95C09F21EF0ADCA1B8CB9E489F91825E02CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.870{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F91CCD95DDF3AFFDCFA52A00981DDF,SHA256=24F93C4F63E17265E418B164524B6960EA5194D2A686481CD9567801A4FD9BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:49.867{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA75E241B4670725F8C9D6995C832710,SHA256=36868DB42004AEA2DE6737AE536115730FAE440FB096603FD87F76EAC25B2E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:49.445{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45DCE13773D09CE15E9F9B2CA542B4A2,SHA256=917AE9EE5DA9032C9215F085C75677CB9ED0B77D81B8A7192373AED6A20EA780,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:45.232{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61531-false10.0.1.12-8089- 23542300x80000000000000001381560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.772{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1390MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.943{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10284-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.920{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10170-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.897{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10075-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.875{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-9932-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.840{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-9782-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.804{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-9709-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.803{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-29172-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.781{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-9633-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.765{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28886-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.758{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-9539-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.735{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-9451-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.730{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28727-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.705{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28554-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.679{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28364-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.653{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28180-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.629{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-27870-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.393{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001381574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:50.886{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5547DDAE10C5BF5F1C484F68DC8F2A4,SHA256=B52753F4C20CEEE07645B9F003774FEC6AAC14090E5C156601B53395B3AE5059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:50.899{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1C3328F99DE5074E74290AB0DF4B43,SHA256=84140554866EFB097ACA643264AE66A94C64CAE4BF29695DCF3F2CB1497CE7A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.243{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11480-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.220{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11406-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.198{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11334-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.176{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11253-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.153{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11141-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.129{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11046-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.107{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10962-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.085{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10890-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.062{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10792-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.039{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10628-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.001{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10513-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:48.978{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10373-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001287462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:50.524{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=961B8D9D8823A75AE08F2266F9A0464B,SHA256=8BE64FFCDFE678A977AE0F26C33EDE33241A5BC85949C9EF6011348F2910C299,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:46.712{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-49956-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:46.406{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61532-false10.0.1.12-8000- 354300x80000000000000001287459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:45.628{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44576-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:51.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D484668610C8CC19471C13CEAAF997,SHA256=3B18EDB25F3FEFCEC861B344A9F94F0C798D2381474B9B90F98AEDF1BFDBC727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:51.923{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00415B8D42407E94A26CA9C9B64E489F,SHA256=40B9B1630FD65AF0299B1B2AE5E88FEB22481B032F91B8C2409E2B83A9C63B53,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.716{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51267-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001381580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.716{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51267-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001381579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.357{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11909-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.334{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11823-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.310{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11749-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.288{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11650-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:49.266{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11569-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001287464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:51.930{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF4704B01058328F4427CEBC4F9316F5,SHA256=9976EC52FB15F7515A80BE5C9929381CCD705287968A875C8AAF5BE8EEA6CED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:52.953{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D6CCFE15297EBBA03E8E403809A728,SHA256=AD89A4DBEA7429C02E64C5DA03BAA757C63F4536840732B1D6FA8FCA35754A20,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:49.024{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-1849-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:47.818{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-54871-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:53.983{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD289929CAA0652AE7243DBA175382E,SHA256=EE98245695C514E1E7176A9F4B2D560500009F67E248CB5B8111E38015E34BFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:53.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5FEF932C502173C22D26FB0C1C35FC0,SHA256=842E35029FF9013DAFDB07B1352C56146AC3EF1E21866DA43F755007FA30B5F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:53.039{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5423090249C4941340CDC36DB4DE2C6,SHA256=B35F328BA01579C986ED942800879B5C326BD2D3D5B09CD61E52BF6A3C48204F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:52.030{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51268-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001287472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:54.414{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C182335585FE807DD431354FE13F4F9F,SHA256=2CCF752CA44F37EEFDFE0F8E928DE9CC7A5B70051D67F1CC608CB55B9BC9AA21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:50.324{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8116-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:54.055{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA5AEA4F497BEAB135C3AF1DD397AB7,SHA256=BF788EF0FD46BFF29C0BE762D6E3601A8D806C0F87FE1B1D911DC614A12B9F59,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:51.547{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61533-false10.0.1.12-8000- 354300x80000000000000001287475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:51.443{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-13804-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:55.539{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FC1EBE297AEAB2AE13A7385A459983D,SHA256=65F750496502082F6180737E99895F475B9262AF1F26B1529F3D46CC50424C71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:55.055{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3282F7BAFE86C328A7E878DBD687A587,SHA256=588F6B60D523E143339132913957289C571B49C83E7DAC90C284DBAE5C33E6D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:55.001{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4094E7950A6ED2172153B7B3C9D5904,SHA256=EE7C49DCDEC8768B3D58FD4F707B50692CD2C870163B768A71DD8B46D30D7D03,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:55.810{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com49310-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:56.034{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1963BDD2BDB7BB75755266A1BE4248C6,SHA256=D5D0D5DE1DA3E89CDCD78CD42EDCD468C1925E5ACF4DE5B27F1F9F19013D3EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:56.633{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE02528C39B7F8B79BC915CFB49A04D9,SHA256=6A6D21A88FBD51AF80C1147BB18A5C28502E1DA58F3C7F9A6CDEC659BB58EB7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:52.801{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20102-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:56.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8CCFA72F044457910B15E08B7F5497,SHA256=07775DAFB95185D0C72F7ABEF085D5653AEC05B899EC35E1F3D66952B6237E71,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:57.040{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51269-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:57.048{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E0352BEDBDBC7A4D15E68728673616,SHA256=3485254E4B33D49CDAEDF3E37816E0DAFE93EB32EDC49ADA6B1BAA3B5132E05E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:57.720{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D8D05CD605696CF453BA450F1F2B73B,SHA256=B1D385B097107CF3D0AACB48475CB8D943C39167FA7225560B00A7F5E82A828C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:53.911{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-26031-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:57.086{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5E6D232386E86A59C6E7B6856215B9,SHA256=A4CA71CB35926837B23C3B7E6B1C0E0472439F8B8CDE28E10A0EF7908184AF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:58.097{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B30C7D45FB69445DEB794245C09995E,SHA256=BC26CFE0F82140F50E31BBA56F33DC93DF7E04C6511556B98201F0B5C6E3B195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:58.939{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EC7F6605176B2679310ADFA67BC8036,SHA256=B27D94D167EC03218B7E5BA76CAE5E3AA80C889C08BE2F75F1FC10FA91731DFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:55.006{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-31597-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:58.110{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C20497B2F1D8A414E10F065BDEB72CF,SHA256=DA6EACFF965DCABC78E0D6B745A7D77C29F129F884A310A87F962D6AA4AFE341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:05:59.116{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4F6AC8742B2B912AB7A14A34185122,SHA256=3D2D469E6C82A01CA0F895A5073C05E219701A645A9C605A741E8CF78405DAB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:59.110{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC86EEDD504212D34200142BEA9685B,SHA256=B8D39FBF9AAF3D39146E4EED9A9E514506B6D81C683A7E4E8788412E387E53AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:57.462{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61534-false10.0.1.12-8000- 354300x80000000000000001287490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:57.310{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-43294-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:56.140{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-36898-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:00.329{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6089DE2046B3BAC756FE67C6328DB7,SHA256=3BD69B602E1B966E5758F69A60D60C0D4287510A5C9EC5648D950EDB91B793F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:00.130{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246F38AF7CDDDE84D8F91955BA384D0B,SHA256=255B66588F81ABFA6DEBC09F61CE70A6E8B96AE343CE9EF40F502017C10C0FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:00.017{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5FACA09EB87605ED30CAF615D1706E7,SHA256=95B2C9D089FB1642E0EC4D1CB511CF03C5FDD27E1F0084EE23F08D00485C38FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:01.564{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1545D4807FF3F2902A5BF88DF9FA11D2,SHA256=16879D390147613D35AFA0AC4FA4D2AD3945D1507254AF2C1879B6746E2789A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:01.145{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCEB3774D816B8E07DF8E57FA133796,SHA256=3E8BF84427543B43C04CCFB1A1A81BCD6C0B777452A6BBBA55390FC5F558D7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:01.095{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7A5508578DC97DF56AA1EF9DC77B7DB,SHA256=892F4E465C77E9307D7F69E541E32B9823C779CADDCE25B998A023B74EDA7116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:02.610{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BF059BBEE1A89BA9F153F82E7DAAADE,SHA256=C94FDC5DCF6105168C9DA2F4C6181E51C0161B14FD4C832F86CF3E27A0B5F6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:02.160{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA0B94FE1B3A7C6729DBA1260356B8D,SHA256=50240DAC45609FFC0AA35F0696133810C6449E6B2ADFF6EF48E10418962627D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:02.204{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=044B97DBEDEB3AD3F47462A5446F74CD,SHA256=90E002BB49C335B670A713DE9730C40776F834FEABBACD4E5FFC41AFFE1830B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:58.389{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-48645-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:03.845{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD0FABDBBD2BD4DE177312F2FD1B868,SHA256=BF472FAAF9096BD0F2DA10AB8F876DF790ADA750709A16BEEAC1E19274592ABC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:02.220{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51270-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:03.174{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4523F02712D391E7F1F775F5F9AD2DB0,SHA256=E13CE491D8D9B44DBF70BB64F5D9204C5A84F414F3B73CECCFB2074BD020AC7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:03.392{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=193AA685A61B53EA58850998F7FFE915,SHA256=59DD1066461E484C123442C79664C90B56538EFD0C4DCA303C73099AB35BF8A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:05:59.479{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-54145-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:04.907{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C645B8DDE9A19F23397C2B180B7002,SHA256=31501166E8997FD526DB7E2DD6640036E6350D950766C180112EDB07B0AD3EAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:03.111{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse59.14.196.14-23934-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:04.191{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C683D8C7D24AACFA0CDB90E3346C869D,SHA256=8F408B487C992E878CF6A823C7729CD9D33F9327B0C8443B10F37F5C53F12D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:04.517{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34A2FB6EAFFF39558250B498A3911D64,SHA256=72B88AE5ECE58C1267B678B6D853176CA744E415E818A8703E55A476898245F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:00.632{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-1233-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:05.970{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A15C7088D6D6B4B5AE9C0CB362AC93,SHA256=040C593E4463E372CC3EC97FC4D389B6737856500C03B5FB37927417D86CB064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:05.210{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FBE1C954D453DF40D6C5DBD6451B63B,SHA256=44A203BF6CB37426D06AAAB486EF97D56FE75229F6FF22174DC3EC147225BBFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:05.595{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A30443B0C7ED4CB9435EAF8CE3E09D50,SHA256=B5A3DCF59AE77E86197797B2079D4D876B099F219C2F583DAB722DFEA7F9EAA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:01.796{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-7266-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:06.225{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2767F001CF732BA8A87A5A72DB9C5E,SHA256=B16D428C090FED53A020241C92F874F751457B9423981E353F801A0F9F1BC143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:06.970{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF3ACFC3EFB86ACA59447424B82EEFD8,SHA256=4D206EBFB641464FDD7DB60161D312EC3B72A530936679EB83DC94E2BDE68C11,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:02.889{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-12929-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:02.493{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61535-false10.0.1.12-8000- 23542300x80000000000000001381602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:07.239{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE78864B38F10293D9AEE4A37C0BEFA,SHA256=48EF50C88350FE4D1AD2282C794B89F0A6C93D1E1FA80309F5F272DCDC164123,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:04.232{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25203-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:03.981{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-18340-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:07.064{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C70E6078759EF4A72DCC17CD568AF3D,SHA256=37C0FF3AAD8DF76A7949D90863D3A665A0F10D9DC89C0CA2AEDEBBF990ADAD35,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:07.999{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51271-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:08.254{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48D0CE1CF40968C2C3D8EE7D085758B,SHA256=FBA840ABF0F8A0BCE9FA2AE194363735217CA83531F2590A08B61B36F52C36C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:04.257{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25377-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:08.110{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C649948664556084BF710C69DE47AA3,SHA256=73FF2540119584AFCBFDD3DD5F314DB3CE4F83B2E626CC6E0D50DBB8338D39A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:08.064{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AA6CAC863A94CD87A427385FCE0A47E,SHA256=C68143B6C7B39B4AB52DE613811181C6FA4424F673E12A0696282463EDB41E09,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:05.434{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-25048-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:05.341{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-32132-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:09.220{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C4919C00BB986D8DC287AD153DFCD1,SHA256=5E2CB360E39687DF4D99D1ACD524ADA9F6D5ECCE5A46E31C15B813EA7233E1EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:09.268{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99ABB1B00E8F24264B8E052AAA880941,SHA256=5C2FB393206C192E273EBB96E600602228B907A60ECC2D86640A96704ECFB1A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:09.173{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=485B6F5EDEF48556AB642DED2C754F7B,SHA256=87ECE7A0B17A5632A71A612394AE6447F8DBEE70F555E1335C59455B4B3E32FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:10.267{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DF99E864C5317D45396F4254BC5EE94,SHA256=A458ACBB31C2EC61CE7807AF2665D6E02384F661F57195D8685CD5A194EFFA01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:10.220{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0CC08B258056D1EF4742E1198E1F85,SHA256=CA4D179AD3BC8078A054F32DFC6DDA736E3347ECF9725ED564843216FE284E3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.804{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB02-6152-2128-00000000FD01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.804{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.804{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.804{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.804{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.804{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DB02-6152-2128-00000000FD01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.804{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB02-6152-2128-00000000FD01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.805{5EBD8912-DB02-6152-2128-00000000FD01}6220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.736{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FA4603FE40EAD5436E3D0738F45E10AF,SHA256=B2216974BE935DB3A4DA051CFB26E6258FD8CB3BFF63AC0E997A3F87350F5C05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.352{5EBD8912-DB02-6152-2028-00000000FD01}56966516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001381614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.289{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4841B6A1F6C0290ECBBF6194F1995B,SHA256=ACAC0F03F508C9BF594B1E8C859E03A6F51790E4EE6F01A23B3D7674783B3753,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:06.558{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-31184-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:06.451{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-39017-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001381613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.136{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB02-6152-2028-00000000FD01}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.136{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.136{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.136{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.136{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.136{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DB02-6152-2028-00000000FD01}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.136{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB02-6152-2028-00000000FD01}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:10.137{5EBD8912-DB02-6152-2028-00000000FD01}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:11.335{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6830867A8F47EDB0D151985C9B5C0A3,SHA256=4EDFD0BFFBE6EF7C43AA99522915E93C7E48B15F92762E195A33B39F49F200CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB03-6152-18A1-00000000FD01}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DB03-6152-18A1-00000000FD01}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.892{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB03-6152-18A1-00000000FD01}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.877{69CF5F33-DB03-6152-18A1-00000000FD01}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001287541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.626{69CF5F33-DB03-6152-17A1-00000000FD01}12401468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.407{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D8A2B95F8D7F0A8DD16CFDDA191B4B8,SHA256=64025077ABCDB6A36C3353B5DDFE3092BE5DD82F5E2EC2C3A128E3F24EF0A03B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB03-6152-17A1-00000000FD01}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DB03-6152-17A1-00000000FD01}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.376{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB03-6152-17A1-00000000FD01}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.361{69CF5F33-DB03-6152-17A1-00000000FD01}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.235{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F228C9FF03AA92F7CA1E758E03A2AAA,SHA256=4AB88D231A6583A1F86D1045A5A1BC6BD6F7E52CECDBFA9435209C5C18E0DD71,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:07.660{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-36704-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:07.563{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-45563-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:07.509{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61536-false10.0.1.12-8000- 23542300x80000000000000001381626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:11.151{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=160AB20802806451CF0B43529AC48804,SHA256=73FF51DF038237D603EE0BF5029F0F7D5CCDD6DA9936F9012F1D9B581935A4C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:11.151{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=316EF460F25449C5B40B9DE719F0413B,SHA256=EA7895DBED6A3A70BBE19072CDE02720022E6478FD21E497989794A8A066DBAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB04-6152-19A1-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DB04-6152-19A1-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.579{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB04-6152-19A1-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.564{69CF5F33-DB04-6152-19A1-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.548{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F421DA317DCBC558650F71A6F50028CF,SHA256=E78BE1CF4A67D496C952231729BAC9CD1A27E98DC9C3AB16BB46EC2CE36EA28D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.376{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB526B590FC729BC77E0539F30CAAC62,SHA256=1B2A46B566A2DB68682449AB1327826C9396B21003BDDEE4168F9E2B36ACCADD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.902{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB04-6152-2228-00000000FD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.902{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.902{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.902{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.902{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.902{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DB04-6152-2228-00000000FD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.902{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB04-6152-2228-00000000FD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.903{5EBD8912-DB04-6152-2228-00000000FD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:12.350{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE20B35854C789BB9FA4467058E19663,SHA256=21879222864BA077BCFE13445B1D2278CD87F6BB19806C6AD7AC9649238B3D71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.126{69CF5F33-DB03-6152-18A1-00000000FD01}17362372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001287556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:08.748{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-42414-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:08.638{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52109-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001287603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB05-6152-1BA1-00000000FD01}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DB05-6152-1BA1-00000000FD01}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.782{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB05-6152-1BA1-00000000FD01}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.770{69CF5F33-DB05-6152-1BA1-00000000FD01}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.767{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD5DD17BFA989253D8D02F9AFD15FCA,SHA256=B8D99C1D8DEE6C9B0234D56BFC0C770107E5B82C7C0C8D9049DDB6C968566126,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.595{69CF5F33-DB05-6152-1AA1-00000000FD01}40483420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001381647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.917{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=160AB20802806451CF0B43529AC48804,SHA256=73FF51DF038237D603EE0BF5029F0F7D5CCDD6DA9936F9012F1D9B581935A4C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.833{5EBD8912-DB05-6152-2328-00000000FD01}64447024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.586{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB05-6152-2328-00000000FD01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.586{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.586{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.586{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.586{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.586{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DB05-6152-2328-00000000FD01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.586{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB05-6152-2328-00000000FD01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.581{5EBD8912-DB05-6152-2328-00000000FD01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.365{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E097200455D3905A1591DFD989E30D06,SHA256=9B8E8DCDC7AE6387EA62CD80472ED74BFAA609EDA54460CABA85DD6388FEC162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.579{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D78B231380CF467008109E85E5485EE9,SHA256=E3EA99882B908E90A3EB2FAA5E66381DA01CE9330640BC6AB31472C8ADDD490E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB05-6152-1AA1-00000000FD01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DB05-6152-1AA1-00000000FD01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.267{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB05-6152-1AA1-00000000FD01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.252{69CF5F33-DB05-6152-1AA1-00000000FD01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001287574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:09.837{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-48107-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:09.779{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59108-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.907{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE99657279FB788F96D96190EFFCDBA7,SHA256=171785973BA685D040AC2E324693DF84BDDF21A0068F2EB44BEB47363FCC2723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.907{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6440D89EB8658EAF4336FEFF12AF5EA7,SHA256=06E941A2AC0472DC45D9132BF25F1EFBBA1712155313C8D4098D80E2661F36C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.644{69CF5F33-DB06-6152-1CA1-00000000FD01}572312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001381649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:13.241{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51272-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:14.401{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E912FB8D31A241700D303E18DA53882B,SHA256=AFA7E8A266CF38E21822D474033CB2D7EB631421AF7F0F8764C70E3E3A690522,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB06-6152-1CA1-00000000FD01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DB06-6152-1CA1-00000000FD01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.470{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB06-6152-1CA1-00000000FD01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.455{69CF5F33-DB06-6152-1CA1-00000000FD01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001287605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:11.013{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-53910-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:10.929{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-7326-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:15.402{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA814540B679C0E0A6F81353AD17244D,SHA256=32173F35ED2D4532DFF65DCE30C5F3ACEC91BA22C75F78EA50DBA79C718499C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:15.673{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FA2AE1B80ACC742657FADDE5C901BC,SHA256=9897DD10528DE92FA1BD569323B96278FDE02152729D860BD171F80BBC19E662,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.231{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-1288-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:12.154{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-14901-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:16.673{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F564348F1D1EA36E85AA326DD35CEB,SHA256=7513A6F42E25B645624C56EC3D39F76E4BCEE86118E12AEEECA8D4FE8DB2D781,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.801{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB08-6152-2428-00000000FD01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.801{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.801{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.801{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.801{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DB08-6152-2428-00000000FD01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.801{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.801{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB08-6152-2428-00000000FD01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.802{5EBD8912-DB08-6152-2428-00000000FD01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001381652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.417{5EBD8912-8CBD-6151-0B00-00000000FD01}640368C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001381651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:16.417{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E358465864B6F7B6E39108214AFEF88,SHA256=39A656B5503236962C78F1A72B46BA8EDCC23553D82A98BA98A6B726BD2D6D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:16.064{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6298612AF6D1AEBFDB996EE654A8E640,SHA256=051EA6224F145F884F51FA3A18D2ADB372C5840ED9A9278F23A8E0BD52721573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:17.692{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD78E9506738A6CA4DA2A1312B43D939,SHA256=1BC27366033325851D4FDCBA5532DAFCC1A0AE1A66CFFEEEF8CDB29594CB9536,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.684{5EBD8912-DB09-6152-2528-00000000FD01}51966356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001381677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.413{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51275-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001381676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.412{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51275-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001381675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.302{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local51274-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001381674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.302{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51274-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001381673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.295{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51273-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001381672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.295{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51273-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 10341000x80000000000000001381671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.484{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB09-6152-2528-00000000FD01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.483{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.483{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.482{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.482{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.482{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DB09-6152-2528-00000000FD01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.482{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB09-6152-2528-00000000FD01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.476{5EBD8912-DB09-6152-2528-00000000FD01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.428{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2598276F60F96875155683A4307FDDF1,SHA256=CB67F8F9539EE12A8FF85A3D7F7C89435A1D6E656037BD522FAF21C61C02A153,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.449{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-29146-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.478{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61537-false10.0.1.12-8000- 354300x80000000000000001287629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.344{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-6925-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:13.344{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-22331-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:17.189{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6237B9BF5DC464ED26ACD94069C90C3C,SHA256=1C3132DBDA6401CA085B039CCF302453580FF94B71EC2503C2C82CA04EBD5852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.331{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04E9D4A8DAA3405D363598591A831BB8,SHA256=5EBB29CC271BC065C214B5C15148AF466243C7BB276B93DE8CCE84A9A4CB0E8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:17.032{5EBD8912-DB08-6152-2428-00000000FD01}68246872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:18.692{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98316979A94D3996C21EDB4F78080820,SHA256=29CC6B55472DB7268E57F463011C96A38E2AB08944AC708E0F6552369FBCF825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:18.480{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D64CCD683C9C8B33EDFAAF65839CEC91,SHA256=72428DA0626F04CDF52012AAA22936E94DBB687AA58027555B1083A909540080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:18.431{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C3269B2D456CBA783D26CF79D04A3E,SHA256=6A77AD60CD6265F0D15C1E08A57B5ED72022B35BE8BB9AC31168D21D2447CA1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:18.317{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3102633DA57DF273ACC631D049579FFF,SHA256=B701092ED7B5538F31476D5E8126B00E3C95B9AEB7B4AC1FFE2F90580B5A3265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:19.723{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F853EF4958D2DCA82B9B65C763A2EF1,SHA256=05E2A9D7E7DE2C082E31CD57B71566A8E6A2B622B05A2C10854B6E6E6C70C8EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:18.990{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51276-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:19.432{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5D00919127AF5792BF44072A90ADFB,SHA256=4627313B1CC8982F6D44CF9EDBDD07D0E862CE12E6D04129924D22C93631993C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:19.442{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=637EDC90FD2D24E46C5CD7C9C94F83CC,SHA256=15F7867D47AD0C7F29F42279D8225A9AC71E789B83CA70E06AEB79B46684B23F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:14.560{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-13061-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:20.802{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB19AD51992310215DCD398974B39FB3,SHA256=98A050B97C9EE9C2BB84375592D34E3670046E7C4DB80A55DF2BDDF4CDA25486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.432{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196C33722270275413775679A95325E6,SHA256=5FCB6FB2D19E2C8E62A70328A2CB39BB106AF51A3104A3E2ACAE4CEFD4D1B050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:20.567{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E8FB01F01BD959117E99BB16DB4CE58,SHA256=DC69D3986CD7755F40EF99B285886CC590F5E1C2BA25B108D8B964884F3AE1BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:16.703{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-43136-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:15.703{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-18648-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:15.575{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-36122-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001381690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.101{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB0C-6152-2628-00000000FD01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.101{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DB0C-6152-2628-00000000FD01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.101{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.101{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.101{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.101{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.101{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB0C-6152-2628-00000000FD01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:20.102{5EBD8912-DB0C-6152-2628-00000000FD01}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:21.802{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CDF0A81F56FFF49EB97CC051978333,SHA256=90E9DD745C6EF03D6E51F0C53ECD7C185B0352C43193432FD241F5BE3C017645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:21.432{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743055ADC459077AF8666C0A06CF39D4,SHA256=0C523E88AD8ABB6D50A42217674B1E8F12A05ECADFA15394A183D93D799CFA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:21.645{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B278A27DFB6060635D8FB38E4C7415F9,SHA256=7C98B390D385418C7F7526082A66A84C915F488FC88F366B136967438A3DA94E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:16.900{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-24290-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:21.117{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16FC519321A2E6259470020C43FD4701,SHA256=169C3778DB695333C9360D160E5A1B0F6A11C6CD6309DD134390097668FD1260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.802{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8324E03A660DAD1F3A708088A9152362,SHA256=7BAEC8E021E277EF1E33C4567E3CF7061F91D74ED6AD50601AB91F154ED39C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:22.447{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A704A70AB3E05D2FF8F75DCB3249ABB3,SHA256=D40C3C6ECEB339A0F84C92E408B69AE94FB90E1DFDC34DBF3965BF3C65E309A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.723{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8195F3E40A169B41461583C8DE7F82BF,SHA256=76E121B43C38D232F8BB0195F3906B23EEFE09EAAD2B32F44F08B47F189DEFD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB0E-6152-1DA1-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DB0E-6152-1DA1-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.598{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB0E-6152-1DA1-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.584{69CF5F33-DB0E-6152-1DA1-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001287649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:19.141{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-35686-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:18.939{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57017-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:18.017{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-30156-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:17.814{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-50217-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:23.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86FD1DF311AF745C08DD7A286992D989,SHA256=2715885C60FAE7A321E74822213FC66E26FF9C60261A551C69214021E54AF40A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:23.817{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7B8069809E111838F0717F5813C9AA,SHA256=062DE4D4B73574F534D4A68AE965EF38A6AC90B0EB74F30FA0FF9A268DD614E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:23.482{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063FFC4CB507BF66473A6B46A02C0CAD,SHA256=A223C4BD880E691E532D04F97499820A8049223334B379AFFDE891702609EB38,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:20.295{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-41380-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:20.018{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4464-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:19.434{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61538-false10.0.1.12-8000- 23542300x80000000000000001287673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:24.958{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78A9A4EA0DABCED15219BA464898DCF9,SHA256=E938FAB29B36A1DCECDE5A2CC633CA9071D076BED413511DB212E09336D83A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:24.817{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71554282CB8B41D212543DD60F74F4E9,SHA256=45B1D5530D30D171A7D52F56FF721326B0E710DC673BEAF653352D7902088A3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:24.169{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51277-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:24.498{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81C0DEEB52545DC03E8DF4ABBE8C86A,SHA256=64C9EFC01CF02D888D4A3F8F308318B7BEC6C16F0A2E99E22014F38DFF23177D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:21.405{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46994-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:21.110{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10979-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:25.833{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239AC50EB8827DB3860D94E345B92528,SHA256=A4C482D20C71FD4F332D09C166256C796B6E20E40E5F1783E3CF9E445EE3CB1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:25.499{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5F2663047536B3DABAC2B18594E6B2,SHA256=2139B0DF340CD1123C8F5597EB27978CE3348FF8484BE480F10A322C862147E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.557{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-52863-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:22.236{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-17825-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:26.848{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4556C281312AFA79873C2A5A77CCB21D,SHA256=9B1104D6CD5ADCCFCCC7DFF20E0F5D799F05284EC0089DE482D70293F04787D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:26.560{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533A6A6A4F57847D71A6558C870025B3,SHA256=6CA443C4E5DACA0567BCD87A61F9B7F740B7033697C9D9A073924E12D774CD2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:23.380{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-24769-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:26.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FC7495F57AED740443582A624BB4DB9,SHA256=FBB4D05A4CCB369B9DA86C30A52F5FDD81C19FDC8B8C0A6CDBD49DF22F75F2F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:27.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F73F0EAF36BB3A532318FFA137BF1A,SHA256=516C4A00938FCB192B6F854CF5E3C9DF3875D2A3174A45B948D4B98E636E39A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:27.596{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5031D9D7AC8E4EBE2F9EC060008E17F,SHA256=56117E2A24BE866FDD591EDAE3A342D2977A0A341F675F3AE1082CD30DB58A15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:24.575{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61539-false10.0.1.12-8000- 354300x80000000000000001287681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:24.486{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-31568-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:27.192{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E216AA51C5AD241F10003F46F2ACBB7,SHA256=EBD707040971DF84F6F40F2A6A714BA1B3A37E1B57508E68705698412F8D2578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:28.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE570B12ECFF98A0ADAE457931888499,SHA256=21AAB2B2DF25231E6086BFB8F63C5DF3C497689947E1571F6EC709B12D6D29F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:28.627{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9D08215B3C0A85BF48C886E4C85779,SHA256=C10A76B6AD607ABF1363AC9209ABB727243EB078CA2D72ABE7CDFD44144F3412,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:25.580{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-38244-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:28.317{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10C953BC275FA530A9D258E30F07EAFC,SHA256=5ABE112351CF3A4B42A7FBDAA919EB7D11D620344B5F33C568A33B5DCB18552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:28.243{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=363711E368C08FDE864EC62A9FE2F1E9,SHA256=90BACF7D938014AA30CB49AF4DD6BCAF63A7FF14548811B12113DE16C7D30064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:28.243{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C53A41EB7C2C5F811CBE33626FC7379,SHA256=BC613955910A527A72C5D4DA8F42DDE1F65EB2ACDCED3033B11AD6CD1C55296D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:29.895{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B832A7D3F211BCF1111FE3E73AC4BC26,SHA256=42BF2E88CA090BED0E7CD660A1B67D840DCF74DCB73DDB9070C93A8C34E92A19,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:29.187{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51278-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:29.641{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926372636B3764351C806D57659FAD90,SHA256=15A17BA52C7234A9954DEE15DF783B7B005A2AF7159EAA6F2C7126DCA92C30B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:26.689{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-45049-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:29.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2447645AC628796B7FA02BF13A27FB59,SHA256=39E771D897458C4E64E2510FA918CB14C7F5D31F1ECAFBD0FE646FF3BA4129C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:30.693{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C694054BEF2E947DFDE595E2F2708D1,SHA256=960D23AC340B4AB931B783092CED58CA3FFB39B5C08BA02D657886C7E2E10CBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:30.895{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E4D14F422A425CC7BE05C694533E8F,SHA256=FBBADDAB64F6CE2E01898A38C98DF04BB90ADC550BAA4AFF75EC1874F5F3A00C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:27.767{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51194-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:30.473{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BBBE14D48E931A713CB404497DAB77F,SHA256=360AD2BB375CE6A959A90F18603DD6F30DE32AC9A01F985E566189B0797640FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:31.694{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E78382DBDEC3920D3149379C4BD67AE,SHA256=9878E12E11DC60C4ADD910CA90E1826ED583E8C7095AE5989D134AC667297BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:31.895{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD411765C1334D19168E72571DE5E3F,SHA256=CD5609376A3C0D8D1EDCBB539FFAAC4797D01E7832944F184F727E60D279E1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:31.551{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB45DEDF84ACE39D504E64CE22DB3A6E,SHA256=116D7D76367C09A9518449F039C11844831432B00DEB9B1228F943A58E36F0FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:32.911{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC68E1124DE16824C30C022A6852FAD7,SHA256=1656169E9C87B0089474EE8C1DE43E7B7933DC26D351A6E68B6D535928437A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:32.709{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C47DAB3DEDD313CC8CC430F4FE0943,SHA256=7239FD51506D52789FD879D226DFA0688E50BF49536CA04F53B41A978DEB6CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:32.630{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2B45B39E532C3C3740E29AF1F142D58,SHA256=EBADB836836823082886114C07F0A9791D76A6262368B5F67D4BDE0938EA4FFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:28.845{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57682-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:33.926{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09CF50D5C7F91C5305C9A92ED04140DF,SHA256=F46DCD987954CD7D7EE7C5D20E9FB1D9AB365C9C04430B7CBC7E4ACDB303493E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:33.725{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95561661DE0B1FEF0FD1EC248196F0CE,SHA256=039673DFEABD6C0C2C0145BF74E6EAAB1A854243BCCB650AF934DDA86AB20523,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:30.528{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61540-false10.0.1.12-8000- 354300x80000000000000001287699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:29.923{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-5311-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:33.708{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D01A9EA4514EEDCB0D76E167BB0AFE4E,SHA256=98EAE5FB54C3C2C8F406D5D3EB7C68747CAE90F481BAFA2F31C5317C9B3FA3AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:34.755{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC14901C71C36D336616D0C6E54568CA,SHA256=48D1D35BFDB43EA2FA0ED52A2473EC5C3DD75491430F145B1038C956AC3D43C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:34.927{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A5FABBD08DE5CFC810B01C821F6F7DE,SHA256=481883C90C3C3D1A68F0A552DA8E36A11D8D02A8F46275FDAA1249A49E6CA363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:34.927{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34FDF287F2DA8F2F0CF1B5EA7D8FA7A,SHA256=FC5DCCDA515002156D3283B0F2DDC7F0DCA389C7393F4042DA3C9E5F732AA922,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:32.095{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-18211-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:31.378{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37873-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:31.354{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37754-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:31.001{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11630-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:35.942{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5FE2F31B9D9630349EAB18D5DA2B91,SHA256=718FC4977E1A49355DCDFD65EE229AF81E37D714766E9F6EF8E2919F9AB043F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:35.215{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51279-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:35.777{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947AC42A76C8EBBAF4FC5BFFA916D924,SHA256=35D788AB3E120AA71A324186ABB41AA4C178ED4AB2AC38117B5DD03AED322C65,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:32.665{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44212-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:36.942{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D63EF34078E2280C3C31743647FCCF,SHA256=84505CAEE495565479AE72B6DBB4761608CB3BF8C19CE6C4B666C0409E685ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:36.823{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B609A9298226B6EA34C91DD84D373DC0,SHA256=C09A9B836C1E6FBE3EF71367EAF5897E8D8D25A64E977101FF9A699ADB553739,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:33.985{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50640-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:33.314{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25704-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:36.020{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F71EA366A8DDC58CCA5ABC9E40E342B,SHA256=B66E4C8D1A884C7915FE020917C0B9AC08AEEBDE65D7B225E217A81359858519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:37.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A038653537154ACC17FBF62A4D02F95,SHA256=61006E4E0808694D973FE1C5CCD07E1DCF245272EAAE5ACF664A1C6378E1CCEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:37.838{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467CD12E5B952C45730B9DE540E09F20,SHA256=8907084CB759C720629BB282733F102A3182698CBBCFFC97EAE2BE9D8AFC25F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:37.083{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BECFFA6AD92E9E3A13C947AB6FEEBC50,SHA256=8EDF3BA747E43A61FDA8CFFD2A11F88FBA0CF09945C68C335AE391F1A10B9ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:38.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85303F19C839F2D7952348257607EB1C,SHA256=93EE157008B405D7E7A5AC43308CAC227BFAF98513E0B619B7BFD23F1F18975F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:38.853{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAEF62A33931875B4FEFEBA3F1EF9709,SHA256=62804FCB21C52E31018B745400619B5153B6BA044C2AC39590021103FB7A9CD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:35.064{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56414-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:34.392{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-32208-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:38.179{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2A48F53EDCD401B0080421D84AEB86C,SHA256=AEB52E656D67F65A3674ED509CB3C89893AF4718446ACC8DA3540FDCF4010367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:39.872{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1363C26DCCE93965FE526B7C620B511,SHA256=F92576CB6666B6E202109EF55B63B724E0F6B4252EE968280B942F17FC444CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.960{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0890A80E0DA9D265517B88AD3D8680B,SHA256=466FC50041113F4DAFE10D00CAB8EBDDF9AAE3C86713A568E495A501E2B03783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.257{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23B750DBB14C742E6ED970CFB3AEC5E0,SHA256=A53F62049C5B57CB1A9E6A3917C5A1F43DC42020478FEB73AFC36EDB0B93E76B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:36.189{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-3008-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:35.470{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-38534-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:40.889{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE57B20B964627E3C9F29C15B26AAEB,SHA256=37623D9A27419CDB48BA7F00B1EBFF9EF5BC0D5A4D10864CA107DF85DB6596DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.976{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A6D3F08E8755038CD2F6EF56B4A13F,SHA256=26212800C20466CEEF159B27B817F86DC181C4267746EFFD52F626DF1242EF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.398{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=370374C0BE6E41DD82F6279089B288AD,SHA256=C194D1C37A8C726819C3E3AA60991DC5A82A81E4E79532F7C6F4CB6D676AEAE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:36.566{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-45056-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:36.515{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61541-false10.0.1.12-8000- 23542300x80000000000000001381718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:41.920{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682B2EE0E840FB24333F31472C0FEDEB,SHA256=A454F85AEF03AF67D779B00040DE0930B8DEF7E87524A39C39518EECC8DD5047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:41.991{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA8F661D4D71F16F45CB6F61A8291AD,SHA256=DBE0BD6A27FCF3D2EDDEBE823FC3B689B0BE859FF209428A21EED4F3B8AD6B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:41.460{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB1E098780CF369EF1F83A6F1D3D712B,SHA256=E7F8D0A88FA365E3DB87ABE3FAAD5E869CCFE65351DE7966A6650158719DFEAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:37.659{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51607-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:37.441{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-9308-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:42.991{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35591A9EC6B4135939FDF046580B4980,SHA256=EAEA6EF882D0A98B424875B031192FAAF8E472ABA285BE3B4D12732EBBC1AB88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:42.988{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=060336D9E4FB23DF23C5880BEDC723FC,SHA256=E3FF18B4527D299DC7571528821FCEDFB81AEEF29DB72789CDB414CD807D0AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:42.988{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=363711E368C08FDE864EC62A9FE2F1E9,SHA256=90BACF7D938014AA30CB49AF4DD6BCAF63A7FF14548811B12113DE16C7D30064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:42.935{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE89F09080ED95604A0FCEE01EA46D5,SHA256=3F7FE580B30A1D84F3BB81AD7D20E116DB7975CD0980F6794353997F8E3ACF2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:41.196{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51280-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001287733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:42.523{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB64E6F78F057DE13D589FD20C56435B,SHA256=41DC282CFDD884CBD03319AC1A3104ADA107C234E036EF90A472DB8456068B9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:38.553{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-14944-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:43.950{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACDDE4C606485F8999AEE269F5568F5,SHA256=D82391CA109657C377AC60241AB99D04363DD89BCB42097D4F7BDB6054CB27D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:42.958{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51281-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001381723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:42.958{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51281-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001287767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:43.820{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BF40059594C9B6C187FF8E68B30AC82,SHA256=09601B919570D71A5ADCFDE6B348BD0254759BFCBE140E3F589F39DA7C7C96EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.561{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10281-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.539{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10143-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.517{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9996-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.495{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9801-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.461{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9681-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.439{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9447-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.401{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9313-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.380{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9088-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.345{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-8902-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.321{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-8757-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.299{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-8599-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.277{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-8481-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.255{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-8222-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.216{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-7979-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.180{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-7813-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.157{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-7670-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.135{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-7360-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.101{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-7077-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.062{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6986-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.036{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6797-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.999{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6582-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.961{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6466-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.940{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6327-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.917{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6201-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.895{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-5976-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.860{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-5778-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.817{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21159-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.793{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20990-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.770{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20725-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.729{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20572-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:39.707{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20455-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:38.769{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58407-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:44.968{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B0027AD481B95617F2F672A12C6ED8,SHA256=4A4FFC0B01CA3BC8238DDF3981713DEAF557EB011C0CF927596808AB6D016C8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:44.929{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DCBC3A13F1A5E49A173019921052C2A,SHA256=5B8D5F94501683625C2E71C213740A5ECB791B4ED7BC06A2B5CD0838AF58EC8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:41.051{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27630-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:41.029{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27494-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:41.006{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27240-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.955{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-12334-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.933{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-12150-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.910{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-26800-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.897{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-12011-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.875{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11895-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.853{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11808-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.831{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11696-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.810{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11528-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.773{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11355-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.736{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11260-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.714{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11122-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.680{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10854-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.641{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10747-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.619{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10628-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:40.596{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10409-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:44.211{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A56FE9E816532D095B1AEB30384087C9,SHA256=3B06A92ABB104EA0A8E9447CDE609EF4B23251ACB5DDD95ACCB3499A00950757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:44.179{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A6EFFDBA614E30242F9C1B5A3026E3,SHA256=6FD0D37C756BA57C7D78F6A9A56EB9C44D53FC6CD8B5669E1DA0EDF5C9F389EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:45.987{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3660B18520E2000EF7178CCA22334D0,SHA256=CBDA9B9B50F4FD89396C034716B6C63D32ECA667B4C5EB10E8B81C5D3ACEFC07,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:42.192{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33381-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:41.087{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27750-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:45.398{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8BC781124E43CB3A7ECE25FC03993E,SHA256=635AE47A26C11F30E3089241517E5AF6D778362868F50E29FA93F6AEE4CC25CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:46.988{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC60E9C6BB22B09E4B9C2AE07E07A667,SHA256=9113A0410B8C8600C56462B9E63C5B46D22E575FD2AA7A213ED9FF8905F77C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.916{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:42.562{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61542-false10.0.1.12-8000- 354300x80000000000000001287794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:42.216{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33492-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.413{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE7C9233F6A69D1E3BE30DA98B502FF,SHA256=42A0E774DD45DA5EE4F71EC3BFCE435B5A9DD67A2BD7296562F5BFB5BE366E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.116{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6BC101E14D0C5DB98557D9DE6E8876E,SHA256=195D2913F38BF8A5BEE6E3286C19E64B80F04458BB648CC9A5D5D0C3AF80A0CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:43.372{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-39019-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:47.483{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FEDA996014098DE39C2A14457306232,SHA256=5848A88CA2FEFD4C6F29C320151E78BD607E7168F0BFF2A55ED9B0C5D79F6A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:47.450{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:47.294{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5707MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:47.259{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=873A2CB70F922E110722540BD61BE92A,SHA256=DFB425AD5ABD40E34BC8C1440BAF1A6766D2DC32589B11EFFDBD3C48A74A4945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:48.674{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD67AFEC197F4FE1DEB2B5388651E980,SHA256=2CA52CF2C673ED9B51DF02D3C23BAC6EE49AB5BAAC715CD87B93B393D50A7EA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:47.110{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51282-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:48.018{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2137A01A980284C7D3B252BF8A3ED5BB,SHA256=37D933CD3B3B2D4F42672DCAE90C212DE7F6450A5297F264A7B769B6697649F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:45.252{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61543-false10.0.1.12-8089- 354300x80000000000000001287803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:44.536{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44899-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:48.330{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22B5CFCC5819717A80F220B2A2102547,SHA256=E1B12CDB9A10DD47EBE876395C6892AFAD072837AAAD3DD15AA068803DF87396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:48.297{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5708MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:49.801{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B24833B9F336D7FD3D1EDA4296DE17,SHA256=BD69AF4E37C11B4BA73BDC5D74B3496A2371184C56E8C99B98F10A2FAB89D43F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:48.425{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51283-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001381732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:49.033{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB5A28CC2A5FD0886A62CF9302A45EE,SHA256=F51C34227AD14F7E811B578322EF9B4A634F67329846E2333FBB66603EC93CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:49.770{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A212DCCCA26BE77EA9F60FDB4F8764C,SHA256=A66C6592E6B20D18A222BF3DB1AC73B37A0673481DB42C6229F4846EABA6DFB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.734{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-55901-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:45.631{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50440-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:50.879{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F5EB085458AF051E34855EEB1D3C0D,SHA256=C7E751F0AEE41A22DC4016405C3B2F616BD34B97A4F5D441DCD1D0286488372F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:50.306{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1390MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:50.048{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E294853EA0404F26B523E29AB28FF851,SHA256=3104326734EA1438FB9CEB337BF7653DDC3F3189692BEF8333A190A6DE132988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:50.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C94164841DF80019CA69CC1738C52B36,SHA256=8E19FB8C4B05D5828D8A9BB5BF9ECB2404A73ED3C7708EBD2E55E28F293E2A5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.928{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-57111-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.904{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56989-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.880{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56881-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.856{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56761-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.832{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56619-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.807{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56460-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.784{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56343-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:46.759{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56156-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:51.911{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B6CA05A9894B8777594D11E1CC0F5A,SHA256=7EB5DF036BDDC480EBFAFCFF8F6384E159A8A3E66058836AD1CFE4901826896B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:51.317{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1391MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:51.067{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9D825E4A9F5E2A6F51C4C4B832CFEA,SHA256=37DB1EF279E91E5B8F733119FB3EDE9012B03A75A522BC28EDA6F712678C93DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:52.086{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67622752E81EF0C47E4400DE79E4497,SHA256=8243B691ADEC802D34E99E76192263F1513ADEE95C79DD3BE6CE5B4DE13CF6C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:48.544{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61544-false10.0.1.12-8000- 354300x80000000000000001287822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:48.151{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-4055-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:52.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A198A443D6BAF62A3AFE6CE22E9182CA,SHA256=EB3FCA7AA64359AFBB1DA4D0B0CAA88881D6A4F947A682D97F70AB72D2478851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:53.208{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E68A423C26F0FCF258C0FA854CD0824,SHA256=8A1BC7F735654586304432AD2CFAA16D9A5BCF2201E0820C4FAAF81732D5D083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:53.051{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53F76D27A263740FA9376644C9721B79,SHA256=6EED8272866CE659D232E418E3E5DD8154CA0E4989B31ED86E7F20CA57E058A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:53.101{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4843BCFD5D6A09D10896677596DB0AD8,SHA256=F4DB10B1C2D147D6B33031DC96455E3730BBDC9FFA350A11CC492B5425463625,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:53.040{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51284-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:54.115{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2788A388CE03BA47B73B085F0A1DBB,SHA256=B1B4320D3F11D7B77F2668BB470F11B5A17E1EB081C414E43611707228CAB175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:54.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C04FC72188E8AC5C00C1318501A25CD5,SHA256=CC159C35E2C9BD347ACC6BBD689FE7238B28487D4287FD7BFA45DB173627B5C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:54.051{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3232A6CE71B416F9751EBE5B517046,SHA256=A453C94C04F0234FB2D04742E2DB1BF890A3E08E67070410467D251080581D7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:50.488{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-15773-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:49.373{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10215-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:55.145{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3449D4FE1CC22F77B4AF97A05B8688,SHA256=94361F53CE7687B78F83BEF1C4FA49874F1C23747643FFA63DD90A501E40806A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:55.442{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=529D2F7531D43EBCC87E3EDE098E5C62,SHA256=9481A471C0F533DF32AD3F2615A567D59377B59540E33896473671E6B44FB9AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:55.083{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AD78A56EA5C83C35E1AB5D89E6A249B,SHA256=81A79B5C7BA39B73F2B87164917AD854A8AB2FF094F06E09A01317EBED38F28B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:51.582{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21150-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:56.198{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203A121F32FA2C1560EBF3806C811C41,SHA256=4CF333D88031E6C02BE19897640A4CDB4FA57860F4BCA60B2A473A672B9D0883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:56.614{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEA177B62D1DD8270C09E4F597E20292,SHA256=F6CC1B72A0246334A098EFDE14CEF99AA69C06091E0982B90BA860E2AAC8060E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:52.696{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-26974-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:56.098{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E8DD4DE01C5C8BDEC478F9E4959172,SHA256=1D242A9C44CF19EB969C207AE62DC1A3F9D53C7CAC5744486D3EA2A512297AEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:57.212{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E653A01473826C63C32AE2DFA3724CA9,SHA256=C51CE21F5A882CDAE9B91E90CCA9DEDC41AD17ED5F23A445188E7178D988D3F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.793{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=540CFBE919A47E9A64AF41F8189F7B95,SHA256=F9819D8484152A9AA3BC20AD3153AC47DD9F4D8CC1BB75B54EF2A5677CB03C93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:53.829{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-32905-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.098{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A41C072CB13C649237EA44DD163750B,SHA256=D9B48F9B08B2B9E28F7F57D2C2B429341D783B9E19F2CEF05949C7843BF05AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:58.871{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69B4E36B290073B8667AEE833F60E5AE,SHA256=857BA2B1CBBA17CD8E4AC975615072E3C19CA6864F7370370FE8D510F6C5705F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:54.994{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-38524-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:54.481{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61545-false10.0.1.12-8000- 354300x80000000000000001287840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:53.869{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33024-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:58.106{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78969FF31560F813F3B943A8B2F6C538,SHA256=6ABF50F5BECB4849EEFAC0EABAB744E60A333CCCA90C8137EC48CC1865E41D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:58.227{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809DD6019E854D3993FAB48904A47784,SHA256=E7E27AB6BACDE29BCC2306A4487F4528395A644080E7FFB650CCAA75A01DDA21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:59.106{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96D7FF2DBD3E8594AABFD487A74FDB8,SHA256=BEFAA9A19DDEC04BFE9EA85C45157C87479B81CE05B1071F908A788019B4367A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:58.250{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51285-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:06:59.242{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A172ED05FC825B18268DC97447C1A200,SHA256=FBDE32E221BE9997776EF69FE19F7272BC05A6B4B1C1387B6E66D53E87EB71C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:00.261{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E9BBE2B2911BD3088DB4613FF2C6BD,SHA256=7A2EDEE4EBAA44818FCE51F8C65D6AFF2583F599160C64DF63F1F6CDDDEA7B29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.388{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50705-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.362{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50504-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.336{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50274-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.291{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50181-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.267{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50115-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.244{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-49982-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:56.165{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44202-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:00.137{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1FC7050F4DFA402B09279579D061294,SHA256=398B42AFF96C059EA646346DE80F54DDFB194EB62E7CB10F911E11E2F244FF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:00.121{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D9FF0B5D279A7BB14C782B6BA1A307,SHA256=9D005B94867E034797ABB19EE88991792620A8DF84FE34CDDF930A189CE3112A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:01.279{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353498A6015F8E50FAA384E8FA82B3C3,SHA256=076D239D9443D494B43EB8E02315AAF301D1925FEA4B1B6A21876A1E93D5C77C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:57.412{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-50890-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.277{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8183AE8741865B597C6D7501CF4E19A3,SHA256=513E299C4568F05713479758E47F46414ED6415627827A9E487450EABF4FD65E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.121{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C88CBE2939A5B2352B3E4852BD719D0,SHA256=692C1AC3FF5211A995D3AB1380EEEB6135DF666E6A61E45002DC428E1DE4A587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:02.309{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F868F6BF6A04452E397163A80CB2F485,SHA256=C0B48123C42425080C6122CF175EE22A6CE97EE024D6B23D0CAC7041D71BD428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:02.699{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=791216D53F50C11ADCB0ADC23E0B3044,SHA256=26FD6FBA8BFE4D4AB1BC8F4CD7B1A363827E83FD331696E362800922EA72D930,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001287871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001287870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x14f0294b) 13241300x80000000000000001287869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b43f-0xd1274392) 13241300x80000000000000001287868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b448-0x32ebab92) 13241300x80000000000000001287867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b450-0x94b01392) 13241300x80000000000000001287866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001287865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x14f0294b) 13241300x80000000000000001287864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b43f-0xd1274392) 13241300x80000000000000001287863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b448-0x32ebab92) 13241300x80000000000000001287862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:07:02.465{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b450-0x94b01392) 354300x80000000000000001287861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:59.141{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com48904-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:58.567{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56705-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:58.545{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56587-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:58.523{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56388-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:02.137{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1466DB0DC96ECCDAFF4ED9E3004E5EBB,SHA256=0AB78CCE562CA13EB09A7DC875D15CE891A83E6F20D8647AF92FD1D4ECC70E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:03.358{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F12D3E2DD6D8C9B8388F216BFD30B1E,SHA256=DF8D9D84D14384829DB5B89E95E6FFA34D39850AF50D5388A8BC4AED8E014A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:03.965{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E40920A9866902A9D74B44C0AFCFD8A4,SHA256=A814EF0B1FE96E6D0D92E2C6C71A9AF198475CE8DE57711AA6292D05EABC0DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:03.152{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE526B522487694C3A06A0A303737214,SHA256=BE41436C3F136B9B4152681D62FAF97762EA8D5FDA0B7D06E39BC489CAEEF743,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:06:59.865{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-4273-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001381753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:04.169{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51286-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:04.376{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D94F8C751517BBAEC0254DE8FA66F7,SHA256=51C228F887D487BEB6EC6EF68E8AFFAFA850868500D250E25EB07659BFE89400,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.186{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10654-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.163{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10533-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.141{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10360-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.117{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10230-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.094{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10117-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.071{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10016-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:00.520{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61546-false10.0.1.12-8000- 23542300x80000000000000001287876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:04.152{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEC01CDD48B3F47B59FCDEC5FE0C421,SHA256=A46454AAEE8C63259253D99B515189B147A7061FCE37FC4F4C27ABAD3582FCF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:05.377{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FFC9297ACC051974B23A550A0F0801,SHA256=1BBC684E98D72334F28B6BD5431FBB68F52E53C5970B246917E646202BE92E1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:02.337{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-16722-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:02.097{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse122.155.197.221-59171-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:01.222{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10774-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:05.371{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46BDD2277C83776C69DABE923880732,SHA256=218BA8658259B7BCCF90C366B6F44722987CE34F2ECA48D34E6BC1DECE12AAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:05.043{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50DE7C7FF951017770BA3A6F1B9B53F3,SHA256=668982E478A6DBB89AE9E6FEF436A8FC3C05D42215EDACF1E5EE185135E933DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:06.574{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68BC8BC493DF8D3CEC9C7CFB39DEBE04,SHA256=92A283A663D45BBD75B8AB4E4B21F7AED25AC5E8A1CDC9A8BED53FCDD9958E9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:05.284{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse122.155.197.221-59331-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:06.391{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E542332CB8F2A184837D2C9D396F4F9,SHA256=9CBE0ABDBEDAC2A69C24233C0777450075740D6D955A296D8FB9BB6313916013,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:03.500{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22427-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001287890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:03.415{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22198-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001287889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:06.293{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FFC86FC166F9D7EE03D1ED9B01D1C76,SHA256=A5281867FDD71C4412877CBB8A0D84A8EE790169411E1D43AF88BCF4066FAD3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:07.574{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE633503CED0DE990FACCBA1286A2DC,SHA256=5A37239152F1475DEA0FBF165706B120EFCD72DD352DB9E7D71791AFF01CD265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:07.406{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBBE8B00B72A17EEBED9953647F92C0,SHA256=BFEFF7D8D642C36AE0AD0EAF531305CE5E654D0DFA82061BA06A83AE9325A65F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:04.665{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-28526-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001381758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:07.337{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6182B388958C60B9390F5361FE88179A,SHA256=33B845BF280E190EA60C0BFEB3C184253E04EBD7F44580843443198A8B059FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:07.337{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=060336D9E4FB23DF23C5880BEDC723FC,SHA256=E3FF18B4527D299DC7571528821FCEDFB81AEEF29DB72789CDB414CD807D0AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:08.684{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6514580947EC7AC5E2A87C9D168A9534,SHA256=78C8EDBB0501E260E752EE718E60AF10744E579F255A9CF8F8D300F6A7F06BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:08.421{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0D4308D41A22919E33702412E833FA,SHA256=2F3A21D4B1967231A8AF6FA92CD95AD8DF0857B2C114EA920409A696E7A4E25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:09.715{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2734B7572E622E2BEDB6E71277BC5AE1,SHA256=4C53CC00A6E59B0415A98120A3610F04E323B5769021393CB305479052752365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:09.422{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA06F5FEF574C96F60CEBA06358D76B3,SHA256=1FD04869914B76D09D8AF87D12A6671A035E6121B610067E7DC87AC4E7377771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:10.949{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9FB8CABDFB3E720D8EBFD566D8CF76,SHA256=E9DE989DC8BFF7F7F205E5BD60D860421A35E74BDD1C61F4661009157C223F00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.822{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB3E-6152-2828-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.822{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.822{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.822{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.822{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.822{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DB3E-6152-2828-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.822{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB3E-6152-2828-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.823{5EBD8912-DB3E-6152-2828-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.738{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=02CAC6827F0A7D10886603F7F2FB6E22,SHA256=68256710DA22A0D1FC7A3DF63CCC98C45A31CFA7BEF337C44C13BBCAB43DC179,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.043{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51287-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.423{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F12B5FE95D8FE2A806509766039BA4,SHA256=D98AAD61D8E396BBD87B85161DDD0EBC8BC80A24D5D075AD825DEC1300C600A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:06.457{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61547-false10.0.1.12-8000- 10341000x80000000000000001381769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.161{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB3E-6152-2728-00000000FD01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.161{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.161{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.161{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DB3E-6152-2728-00000000FD01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.161{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.161{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.161{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB3E-6152-2728-00000000FD01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:10.156{5EBD8912-DB3E-6152-2728-00000000FD01}6516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.981{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B5B541D8C123EF60E0BC085688671F,SHA256=62C49298A40AAB40DB238770F59D6630C4983C68899ABA233EC87F5305C2D8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:11.459{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8124113C55A0B2DEBEF4D80FE7A5CB6,SHA256=0B035CD7E49E28DCC7B5874D8E6C8FF5AA6DA7E3929588A25D81748B34BD2B99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.699{69CF5F33-DB3F-6152-1EA1-00000000FD01}3828888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB3F-6152-1EA1-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DB3F-6152-1EA1-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.371{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB3F-6152-1EA1-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:11.356{69CF5F33-DB3F-6152-1EA1-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:11.159{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6182B388958C60B9390F5361FE88179A,SHA256=33B845BF280E190EA60C0BFEB3C184253E04EBD7F44580843443198A8B059FCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:11.069{5EBD8912-DB3E-6152-2828-00000000FD01}30326404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.912{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB40-6152-2928-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.912{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.912{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.912{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.912{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.912{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DB40-6152-2928-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.912{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB40-6152-2928-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.913{5EBD8912-DB40-6152-2928-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:12.460{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C1DDFC89FCA82CE931AF5AB65F252A,SHA256=4A2E1494EFECD5B67D2A8706C5C239EBDDD53A273754CAE8C0D2522C5E2CDAAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB40-6152-20A1-00000000FD01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.934{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DB40-6152-20A1-00000000FD01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.918{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB40-6152-20A1-00000000FD01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.919{69CF5F33-DB40-6152-20A1-00000000FD01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001287929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.465{69CF5F33-DB40-6152-1FA1-00000000FD01}36282476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.418{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC68C7317A1BEAE795C90BDE26189DA6,SHA256=66570283F007B2852FB038602EBEA6EDC4BDE7F8D8B2CEC121BF3E55D0C748BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.418{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F8009D2E3087F0EE6D5BFAE1636131F,SHA256=5EB8CA2A5552EE8DAEE2832A85CE345EDB6A23E6EBFE31B66ECE74E1F21DDDA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB40-6152-1FA1-00000000FD01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DB40-6152-1FA1-00000000FD01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.246{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB40-6152-1FA1-00000000FD01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.231{69CF5F33-DB40-6152-1FA1-00000000FD01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.981{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC68C7317A1BEAE795C90BDE26189DA6,SHA256=66570283F007B2852FB038602EBEA6EDC4BDE7F8D8B2CEC121BF3E55D0C748BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.763{69CF5F33-DB41-6152-21A1-00000000FD01}14961500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB41-6152-21A1-00000000FD01}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DB41-6152-21A1-00000000FD01}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.595{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB41-6152-21A1-00000000FD01}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.577{69CF5F33-DB41-6152-21A1-00000000FD01}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:13.574{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDD6F9039CAB5E9973FB0C4622415CC,SHA256=F277E7B7FA951FA734AE6B55968D9D0F58A4503D79B85C7F8A7EF214314EF54D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.927{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDBCF563C844703BDD03462870E994A2,SHA256=396793153AAE8F4B3386A43ED7CBC6010E4B3D3C0214C6A735E3A3588085FB5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.612{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB41-6152-2A28-00000000FD01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.596{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DB41-6152-2A28-00000000FD01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.596{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.596{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.596{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB41-6152-2A28-00000000FD01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.596{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.596{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.597{5EBD8912-DB41-6152-2A28-00000000FD01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.480{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF2DAD294AA41BB12D830700FA3E185,SHA256=9F9E4110A30A847AA6A414357966BA873DA0E2F3A07FA0DA5B4075FC86EBD427,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:13.097{5EBD8912-DB40-6152-2928-00000000FD01}26446300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.824{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F050BA758A936ED67739140D925F9471,SHA256=91D6929605D35664A71307E3D52DCCA4EB3AA89AAF8CC3210525B6BF86DB3C35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB42-6152-23A1-00000000FD01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DB42-6152-23A1-00000000FD01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.809{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB42-6152-23A1-00000000FD01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.794{69CF5F33-DB42-6152-23A1-00000000FD01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:14.495{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69ED4B153A077B83CBC65F4FF9159A3B,SHA256=36ECC6308899CD393379463D49DCA3C0222801849B417F73B71CEB843BF191F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB42-6152-22A1-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DB42-6152-22A1-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001287960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.121{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB42-6152-22A1-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:14.106{69CF5F33-DB42-6152-22A1-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001287989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:12.426{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61548-false10.0.1.12-8000- 23542300x80000000000000001287988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:15.840{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F219AD73A5FF902875F18F33B16F4E9C,SHA256=3A220DC83FF7AD5CE8A00801B236CDB3FE30E3FE17B132865A0089EF34370796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:15.510{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D0121A7A937CB12237D381747DA7FE,SHA256=CE8E168A514D42A30544A761D1D29BB2BD857BC87DF001629FB65EC9C2E056BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:15.262{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC1446E63B04103E5AD4CD13ED7B4252,SHA256=D4982BBEB4D5FED33FEF566E56E0FDFEE34845C375F0C78E1AB5FA361863B459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001287986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:15.043{69CF5F33-DB42-6152-23A1-00000000FD01}14681900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001287990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:16.981{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484AE2FDD0C204C857C43E930F39DF4F,SHA256=9159D85DD0C7C90A890A1A38632595EB4BE013593042505FB7DF381CBD72CF43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.809{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB44-6152-2B28-00000000FD01}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.809{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.809{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.809{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.809{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.809{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DB44-6152-2B28-00000000FD01}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.809{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB44-6152-2B28-00000000FD01}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.810{5EBD8912-DB44-6152-2B28-00000000FD01}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001381807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:15.165{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51288-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:16.525{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94312FAEB5761B0F70E0005502D57B45,SHA256=E729C6FC0EAAD993992354587CDABDE60561965FFD19825D7D88E03ECAB9EF08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:17.986{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5F7E709A4869D8AE87688109C1F648,SHA256=554499CA9DA691C94B3BCDA7B92460C27BEF0F66BACF54ECE912FC6DB057DD7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.810{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE6CFB468B43DFFB0E83138DBAC15BA4,SHA256=5B28153FBA0880A2AE171FA03E59537B7BA3B7534869827BE9B3EC8DD7942778,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.709{5EBD8912-DB45-6152-2C28-00000000FD01}44444716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001381826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.578{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0C0936CE8235D9E3A8BB185896066C,SHA256=A2A0FE3CB26812E88580C67AEA12BAA49C88808744F78F5C53AD8EBE4ECE301B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.494{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB45-6152-2C28-00000000FD01}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.494{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.494{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.494{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.494{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.494{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DB45-6152-2C28-00000000FD01}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.494{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB45-6152-2C28-00000000FD01}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.495{5EBD8912-DB45-6152-2C28-00000000FD01}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001381817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.272{5EBD8912-8CBF-6151-0D00-00000000FD01}900588C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:17.025{5EBD8912-DB44-6152-2B28-00000000FD01}58601392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001381829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:18.641{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3407A54C3DDCD407D25DE7F0144363,SHA256=812212C0D449ABFC342E012BF15D50E9C6C102030B6D819D01A03DE2CE604C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:19.655{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6063800D62C32CA5ED18384FCC5BA52,SHA256=149BE08D5708BB371B5BBF5FC1EBC8684CB47D36AA5F33D7682B5EA826A2BB06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:19.204{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F9A6195BB461F3857B7FEEFEFE6539,SHA256=648B8573B980577621BF215F6281BF80C16B38FFE8819A842A4B72513292C64E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001287993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:20.267{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885B0F4EDC0990F82866A08D57028CDA,SHA256=375E7DB8429BC8291C0AA4F99336990E0062D44C9479E10DF48EE81A24F0092A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.676{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089CC0DB89ABC966355B592DCDE226A4,SHA256=E2AD25F469D6DC1967C84952CBDFD9B4297CFC897C6A14C2F93FD09CD88D6133,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.292{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.292{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.292{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.108{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB48-6152-2D28-00000000FD01}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.108{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.108{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.108{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.108{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.108{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DB48-6152-2D28-00000000FD01}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.108{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB48-6152-2D28-00000000FD01}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:20.109{5EBD8912-DB48-6152-2D28-00000000FD01}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001381845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:21.130{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51289-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:21.707{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5FE253AF4F369E15FD796917F7F294,SHA256=A799259CECE416570BE8C098F9F2B384D418B345A654104126119B6BAE1584BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001287995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:17.446{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61549-false10.0.1.12-8000- 23542300x80000000000000001287994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:21.298{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C17D8157874DFF60D0BB99D51C7A4E2,SHA256=0B410EB8565D3D47F29E7CC1B17CA82E162EE9CE3A127C89D4C57A9FB7CA37A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:21.123{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F79CD5FBEA6D86719CFDD76B890BFE59,SHA256=2B3B22818D8763E8B42B6D72D0B9C0CAD0A6917569D2418A701B1F0E241A2237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:22.721{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA811A07AFD701C9C14021A14FD685A,SHA256=A88F4947C48FB29C27072E7A663F46B117EDEFE9B003CA1EEBB5392AFEE27AC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB4A-6152-24A1-00000000FD01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DB4A-6152-24A1-00000000FD01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB4A-6152-24A1-00000000FD01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.595{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001287997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.580{69CF5F33-DB4A-6152-24A1-00000000FD01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001287996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.314{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1450ED2455A04C84F90E28B685CE3354,SHA256=963E69A6CF4B50707D2BA859D08D62FD72412AB1F06696F5CA0E82D9323F421E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:23.736{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F3187A50ABBB89929618A3D8632534,SHA256=84D8D37EF5A69A830CC84C1AA81B0B6CCDD4D4521E03830DFF843D14264F17D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:23.673{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF898ADD7AB672F8B3CD92EB494B7AAD,SHA256=6E54C746BF6E2412D47549EE38C141EE7599DBFDBA867E1F7FC43EC50A2791D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:23.673{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7F11C762732B5C80011D90C4BF07FD4,SHA256=0B2B53490F9E9F5EEC9092BEBEB1C2033A4CEB968BE38D169EB99DB738203DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:23.329{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81995DBA9781395444EED89E21A19FD,SHA256=36E144403010237D11A609A1447AC1769D0C2977A0A032FEBFFBCF8101FF811F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:24.769{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7327C9C16C37D40221C8583D5A4DA90,SHA256=FF3C513275D969F3C300D7B83BDC90C047E3AA5483B177FEFB4FCAC04F6EBAB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:24.329{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15EF2A38CB52E09E5ECB59E9247F8978,SHA256=ED7CB06CC3603A9F8A36CDC780DE7CE2B6BEE71F1211F8E5CCC5F34437035DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:25.803{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FAA37E40E9EE8196F49DD362F2BCE3,SHA256=7A5FAE761233012BA98A191C18A7346FA515871A1B04F20C19C3EFC1BC676215,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:22.478{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61550-false10.0.1.12-8000- 23542300x80000000000000001288014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:25.346{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2EAE7E80904975749489A2A25EC82A1,SHA256=69A16A11C7053DED7935FBB58580C7E65FB3256F44C9EDACFCE459ACDF2E89AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:26.834{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1D07D3A578ACC5755E82DA3633ABF1,SHA256=685383D974BB846BF1FD9398364CF3038D034BF9C332B966DC5D9F590A342FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:26.360{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B625E025C83FCB448DC16F4A24FE1A,SHA256=7A55695F8A1C07A22F295B46D54A2608AFEEE335F56CFC70533F8A3B9390B02B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:27.056{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51290-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:27.867{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BEFCC7FD4F9ECA1C310509E2EA1D1C6,SHA256=10248E9A9FF5BF179F02066B9B6F19F7E75D1E7B3B8FD72FA619EDC23A7DDB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:27.376{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDDE5B5A740BFD4FB2FB716F9EFE4633,SHA256=FDC5BDEC3ECF3DAC11F754A9401D754132752DEC09E9F91D5FA366F880D18C8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:28.901{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886600AE29CB75C72FDC5DA3EFC20EEE,SHA256=81E237698D0191A6BF03B2DFCE7B38E6A3911605A53F80971B78486028BFB624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:28.376{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68DEBBE9E37A350BE544ABF78849B475,SHA256=F4207D8B1E5E32FD3BB96FF6F7902D6F878E472C85BA785895D19388F8088B5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:29.947{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E672F23ACF944BBCE091C21AF3C41034,SHA256=094B37C6DBE6304DC10765C1023ED39989200263D51FBB31768CF1E6F57109B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:29.392{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD0E63AB8E17678B0539F7AAD4B331D,SHA256=8160D3173765C1EFF63E236F414B3B960862254E27E391DE833FFE04085211A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:30.963{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF1F9DC5F6CF47C20977F2494E729F5,SHA256=0EC10F2A8DF5803215C05E13E3040FA2340B91C3C8FB3714DC109299F343E770,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:27.509{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61551-false10.0.1.12-8000- 23542300x80000000000000001288020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:30.407{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DBEA86E06ED471F5F5ED2E1C1D0089,SHA256=09F920A3E809F539DBE55954A354386018AB406854B9D48304E6E92EBA7EE2DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:31.983{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A876DF7897A211F961E61D6B9513727,SHA256=540315A5E2D685DBD6447F2EBDE771DD82A97DEAEDB7BB8B74D542EC24801175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:31.423{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259FD97EA34FE9A669B3974F7E2F5426,SHA256=D4F2C62FBF733DD7AB682DAAEA6C84D2281E9DE86B91CEE755352CFDDDA44E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:32.439{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D02B8E348CFCDC941C214903F50F85,SHA256=F825B7AA0450671A886079EFC8CB845A86E558161A38DDFA260A0C69D544CC15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:32.236{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51291-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:33.454{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B34AD25F3311F60A8055332ABA23CB,SHA256=7C1457DC8B45C7FC242436F13EBB219A9D70A82F764C6665F9DA3CED1C792517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:32.998{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD65B51A74C3813447E97F5EF29F1C6,SHA256=0053B442D6222FA0BBFAB21265A536255CE119745646588709C104C6DDED0DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:34.470{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8618C04B3CD68DB543D5D207A857ABA,SHA256=18E1E54F5AEC8C484F87CE0349565902AC91D2C871969B18B1A103BD70DDC633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:34.012{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5891C8A9D9D03A89257E582E36C5AD84,SHA256=82E8F9080F5C41CA5A4D84D0077238597AE7FECC7E922D1F8F5C2DB1DB8D7320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:35.486{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E971386F3383927471AF3A8E40D3A841,SHA256=6504E6C766890B5F736A3D3CDC1D05A56B09B0E7FA9382C40736DD3D5EBE545A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:35.013{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422E6A99341E1781518AE84F6A9207CC,SHA256=C982CCF4ADDE4DCC7BB0416222E4D9A624E6BEAAE84AEBDCE2C06F26C4235EBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:33.478{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61552-false10.0.1.12-8000- 23542300x80000000000000001288027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:36.486{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D845F44EB97788D05C338E1E8944952,SHA256=01B62F814C258B8E7462A402E90FDD24EE2F9B976F68C13333020C5CF8267C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:36.028{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C82434075A6B004897817B7511903DD,SHA256=622B14ECEFC02F1C5D7A740F4EC4862B5F94AD0DEB4AD507C4BFD8E8A4DF9C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:37.488{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9896F57EF4271AF97F65D824A73F01BC,SHA256=8D5460F35AD5696C1BE7DF067EAB0F5B1C0692BA7DEAE401D8D7A2088777569E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:37.043{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6617F3FF7B399194CEF768E68A5AFBB9,SHA256=A6CDC4DFEB61E1E0608A81843F946E87EE4C5496769B67C74CC55851DDEC2E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:38.503{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA9AB70C4392D27C5360E5DFF0BF1E7,SHA256=D38B6EC9B67C205BB7DBD822B797DF663845DB63E746E1F3B9F80B9C90B0A046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:38.060{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCAD63C078EC70CBE7A19DB19B162914,SHA256=B854A243D4522EE6973CC5B96095D24B79380B4047B4E12A2933F5C093C0AF2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:39.519{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26787BAD2E33C64E836898CBB51BF386,SHA256=47F9B8FF0BD2D6022B578377D7F7C3A8A6AE6BF4489DE34A89B70EAE88B6B28E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:38.219{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51292-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:39.082{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB8EC67F13E6A6F623F3A748FC5BFDB,SHA256=D2019F8FDF4E87E1A236C65CB5FE17E4F0A561E760E907CA741071DA92C370D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:40.535{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4261C1E6520D4ADD5A8E81AA73D4C566,SHA256=1F6CE7CA5DE4E231F945197DD4F153395853DA8E0ECBBDC9F9E265729C985DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:40.128{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE814E92B3DE56F0DE012C13B7AB3D0,SHA256=97C3EBE2CC160B56CF1D9FF74B5A214E6D8CB0FD3C0C7834AFBA17700E92B92C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:41.550{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D8E9932CF2E363396C242C2CCC3E7B,SHA256=E67B9E1E2C47EED03C51E3AEEE2A6E32E0855200AB9ADED755D5A0F4F07BE7D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:41.164{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF9470D85CB26B8E73842515C3138BD,SHA256=280BD302BAF097BA5794733656C24E32B63EA5BB773751624D4400A716589373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:42.675{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21132A5253F29D40FF3C28638A194180,SHA256=EF5670D5BA0D1E2AC2EA01741DDE82A971803274616E8CD47BA0AD3BE93484A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:42.181{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCDF87CBEE0F9A0CF9E49BDA6144D10,SHA256=23BB755794EDDEE6522429279F61C13124B8E6D796F58C0F231BE59A6B4710E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:43.722{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BCEB42F64305D211E4D3393FEA12225,SHA256=7499AF9654DE489A8832E697974378A62405EC39F8981115B24AD9F998642D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:43.182{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85967616FDB4F9FA09F446816D5DEBCC,SHA256=66EFAEF654FB2E0AAA320DE080DE56D404436D5D6A0AC6F9774714985C1E045C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:39.449{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61553-false10.0.1.12-8000- 23542300x80000000000000001381870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:43.045{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06CBEE768CD7A149493C19301D0378A4,SHA256=95D7B3776C263FFC96055051644AE392B9B49417450B76DE329360937BD64D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:43.045{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C83FEABBBBA36EBD7AB513E5EEED9C5D,SHA256=A2995657CF83A1C8DB0048B466A321BF0F6CB88BDBC1F97934EAD7B24A6AD271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:44.956{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33FD587A5483C7ECD1AA6B701F0042C3,SHA256=50226DDC85713DD060664F5DBFDEA741B3ED034A36E13C3BD172F6771DC659F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:44.196{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A998E6041C81ACA862E69FE402F2B956,SHA256=C65AA948849BC637A1CD1D3D66C05F952C9682754F77269ADAC47B352DC5FD6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:44.222{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=66701A78DF74C2E1BE5FB54419922FEA,SHA256=3CE41F4D962D6388B40714F951FB200C3E1AB6D26B2B709D84CCD47BF8ACB893,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:42.973{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51293-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001381872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:42.973{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51293-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001381876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:45.211{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D30F7433404868D6CDCF75CF1F478AB,SHA256=552520E02CCCB38FBF824612052258A6463AAEBE0BA2F1B3EEF05F0D2AF521E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:44.155{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51294-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:46.280{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11F8201A6A7FFEBF112557F788F6A7E,SHA256=A4D6B710C3FD7AA5B2F7B2207B42143121E146CCF6FE79F37BA73483F66A8BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:46.941{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:46.066{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C3465CDA2D4D84AA77767DC5B61C1B,SHA256=8623D4498AEBDDE061C6236EA4FA507DE501246F5A4928117257F233EEE545A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:47.081{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9551E1104A6E9F6F72773A1BA0C6549A,SHA256=709F6B15B7AE5FF9188C26F774B2AD6DB468ADDABCAD02AC9079C56442D5D0D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:47.462{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:47.310{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A9E53149EA6F4D2CCA28EAF2F0C5C0,SHA256=8398441D9A9E0C305A8F5BB0A02E067AA5DFE7842F0C098EA8332E27A068D254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:48.324{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A255F0819AD09146D064EF4B7111FC8C,SHA256=725D68849B149217A36B744D360E995110B620C8F7E1012BDB8D5CF4B831D826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:48.804{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5708MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:45.277{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61554-false10.0.1.12-8089- 23542300x80000000000000001288042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:48.097{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5564AE3122C34259A8FCE52784465F,SHA256=F17F4E652B6E871F65C39B1D7CF0E090BF86192991EF052A91558ED34A38A3D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:49.339{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8703B9A39B2B6E1FD7AA342E25B75032,SHA256=D6ED424426271FC57F60D5CBE408456185C26168423ACCC46CA5DC3CECBDE380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:49.819{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5709MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:45.449{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61555-false10.0.1.12-8000- 23542300x80000000000000001288045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:49.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFA4462EB7FE373F6DFEDBCB6C350B4,SHA256=B585E912BFF5B3F26209CAA4FD840888D15D0656607FF7469F802C618282476C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:48.448{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51295-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001381885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:50.977{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E26099B1C4055258058C5EED5DF7A2BF,SHA256=6B0A99DEF9DE0715FF997E9D6D3A14DF02C7826238BFB06FC08AB1DFC918CC86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:50.977{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06CBEE768CD7A149493C19301D0378A4,SHA256=95D7B3776C263FFC96055051644AE392B9B49417450B76DE329360937BD64D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:50.357{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90FDBFE3E3DA73979A47530FA79E9137,SHA256=E6E546246CDBADE9339D7FB2FA0D9BD36C7F47DEB331D31AB9D3955FABD1BB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:50.129{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEF5D1AA2B57EEA71E38975A5C113FE,SHA256=346776CD9F30DF5D82B6EFEF58EFBCB5CD0A18EB1FC223D07E0789271BAC36A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:51.350{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBE1A406CFADB10AB3A66F99AC0EF38,SHA256=27F608E3BD7704A3EB338884F3B49ACCFC287C1F64BE4E15B344BEC52F0DD57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:51.826{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1391MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:51.408{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9251AA786606CB88B66282BF00A78D6,SHA256=6AFD46C2FEBDEEF63A566E5E70A896339F591909A225CAAA96635AD89C0AF264,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:50.815{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse2.57.122.204-3779-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:50.131{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51296-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:52.350{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F06401FD73152A617D5C8B11E31EB3,SHA256=3B36EAA316C8BDF7B092D928FFCE829412D89AB37243D26D4488792EF5D8CAC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:52.839{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1392MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:52.424{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84FA08A6C11D561BCC50FA859AC186F2,SHA256=CF3358A6908F0A28D62CD1542208C453A1DD32922E481BD0B57CBECE09E76DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:53.538{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73E24C20023C14AD4526CF7FAF982F1,SHA256=A8C8EDB92292E8DE7BA179340B1B27865F9FC94B877CFF54A73EB29F3257D422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:53.439{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1F9FDAC86480DB4E13AD694C8C24BC,SHA256=20DC5F44F14B7EFAC92D62EC20B3D237BB7688BE633401D63C2AB1BC22A2661C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:54.554{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F79DABD8F8FF260546B88A3654137C,SHA256=8BAB2676BBC2230F25B8A708188950AB8CB24FCA70696D28A23255011B00B083,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001381896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:07:54.559{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001381895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:07:54.559{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001381894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:07:54.559{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001381893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:54.475{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4222C7EBA0776A71CC7F8BD99DCA4EFA,SHA256=B28390F2F50DDE2DA6303F47E153363132DA42EFF84F392883A7FA61EF62267E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:51.452{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61556-false10.0.1.12-8000- 23542300x80000000000000001288053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:55.554{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F96947F6C8661438C3F0859B9982D4,SHA256=F4C9E63E65FB1EF775CE47FEAD72F783463EF3662DA52DABB862CB3A27EEF3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.590{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E26099B1C4055258058C5EED5DF7A2BF,SHA256=6B0A99DEF9DE0715FF997E9D6D3A14DF02C7826238BFB06FC08AB1DFC918CC86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.490{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64E6C031138785C74170331DB25C3F0,SHA256=4B994CA54515DD0F4261D4747F8D8A4FBA5D10188CAE87065905101B63851AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:56.704{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81D4BEC2F3123F9A6C591B83870341F7,SHA256=66755E4D5FF80D09737A0AD479B28BE89E474E8E152DB59345F647717A5CCB8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:56.504{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AA89C3F24EEA6EBC53842D0188E6EA,SHA256=8EC98A6A6B28C9D49E39B2FA7501EB286C89267B5C7C1B9A451BFEF1BE035099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:56.569{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531D51A3815C3A8D4CA76BE4705EC0FB,SHA256=5B8B1709F0A8D0C41608B2FD9DDBB015A62F744C5558DF9EF4ED1B92FE278463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:57.510{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7FF8F9CC31FC6339705B89C5BADF3C,SHA256=4F3916ADB326F681626DEA331E9F029C584CEC4A591EF1E9BFCC0DCFE3B3985B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:57.570{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88565A0D4A23AAEF8CB8F4C90F38E91C,SHA256=4E39181C77AEE004747513380180F214B867E794D98233C3CFCDD0747B33816C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:56.128{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51300-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.754{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com42082-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.573{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51299-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001381905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.573{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51299-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001381904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.564{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51298-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001381903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.564{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51298-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001381902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.547{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51297-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001381901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:55.547{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51297-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001288057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:58.585{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9A7EAC4EA7F8A781E2E55EC770A1EB,SHA256=CA0F37271946E11166DFAC56B79D51581A81FF09B5CCB4F97A96584ECB3FBBD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:58.519{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86761062FE4B7852D48E3E22E6BB903,SHA256=F3D5DAB2AE7623775AD854AB83084949C0A8D76E61156105C3446F56C057AE3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:56.484{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61557-false10.0.1.12-8000- 23542300x80000000000000001288058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:07:59.757{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF2EC529B093946A434EA78FAFEC447,SHA256=6A02BD1B8E7A0432F82658AD92455C1E1868003A6A34B90B1C0879FC41FCD127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:59.534{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8D35077D88740D4BED236CACAA87E0,SHA256=985D5658D2D55DC51DDAEFB2AB1CDA6888243ADF2421EC30F8BBC5527E155450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:00.992{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F58AABD7058A66ADA34FA59072F1705,SHA256=43591D61B56CC322061DE0F7C6E0A4C5A3395D8273374C36A492F9C61D491054,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:07:59.670{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.24.1.102-50943-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:00.570{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6463249C7BEB084FFE28DD856399FF8,SHA256=B36368E16E40671E5D40B4C552E471B5EC43F9CAD3F53C10B15F279F8833ABA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:01.140{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51301-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001381914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:01.601{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FAE4670F2F34A812BCE96F833203FA,SHA256=746E1A34B685984203C95213CDE4CCEAD745AD1062F4C88BEB79D37405EC9D52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:02.601{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32351FBC30A379795F9067151A3FF760,SHA256=B1403C3FF8095019D0E2AE5510920910A327A037EC41948817335249C4B9C4AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:02.119{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C49682739CF52A83C1A8C77B9DD289,SHA256=675D55020BB4286CDCB57DF2BB8030BF62DF74F38E4C1DAB99A6D9EA194371D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:03.616{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62FECEE2757F0C04C73AA4F4ADAD24C2,SHA256=BD6B1B87CEA160FF9BCF623921C9F7A2DA15FFB33AC348F74721B1072069A5E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:00.355{69CF5F33-7F2B-614D-3800-00000000FD01}2628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61560-false169.254.169.254-80http 354300x80000000000000001288064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:00.314{69CF5F33-7F2B-614D-3800-00000000FD01}2628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61559-false169.254.169.254-80http 354300x80000000000000001288063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:00.313{69CF5F33-7F2B-614D-3800-00000000FD01}2628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61558-false169.254.169.254-80http 23542300x80000000000000001288062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:03.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC598A03A79AFA0FAE474D98172E7F95,SHA256=07D1D4C4DC687DDCE3A4756DC8ADAFE25412828C0F532966A928BBA1C2C74C1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:04.617{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9947952024E9E28C48F5FD77E9B2A145,SHA256=7EF15B7CDF9EE4CE5866D1DC3D190506AAFE177F3BCA825D5752CCC27FF6C379,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:00.468{69CF5F33-7F2B-614D-3800-00000000FD01}2628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61561-false169.254.169.254-80http 23542300x80000000000000001288066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:04.151{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F692AD53CE2E877A3EC070EB39EA27F,SHA256=E3FDF01C4E7FC09F9FD2287A53FF9135E1758DA6631F706BAC3B7F21446A87C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:04.247{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-53292-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:04.208{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-53144-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:04.351{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=059F65278D1952748CA44674D37E99D9,SHA256=7C21F40D8B0530CA1E34C7D2DE393FE1AA07E514973F4E7D67CDE7FB404B3346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:04.350{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93A92E469041F33D8AD2B50D00BE48AC,SHA256=63DA749627A131560119DFD46F91A489994323C23CDC5DBE4CE59FB45A267453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:05.632{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB2AE973CE6C269F98C2CBCF319244F,SHA256=0F8C78D37A0C8838C2549285DC568F4C85C006C9885C08D2CB8AD7B39906F4AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:05.369{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A9E16E1527AB8FD6EB56880B810B3E,SHA256=BEA7EDB278FD39B472B9A0D6C89931F24DD8D4D497A8E2391688229C4677064D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:05.501{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=059F65278D1952748CA44674D37E99D9,SHA256=7C21F40D8B0530CA1E34C7D2DE393FE1AA07E514973F4E7D67CDE7FB404B3346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:06.700{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE56FFD88414025E64A7FFB17C18DF4,SHA256=5371A0649435EE01B26F0F0B669366A15CA2D9D185854339A04DA676F16E4F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:06.604{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31590CCE25529D6CA72AA24E83FF2CD6,SHA256=785EABC39045DEDE49E21F21A0AC205F0584887BF232FCDFF4EB1B11A7356D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:06.631{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E432570F5D03F24C691D98F60D126826,SHA256=378536A2677BFA1B5274672E51560AB5CF0A290DB3EEBE4ECE70C6F699E800C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:06.193{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51302-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:05.379{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-58998-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001288069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:02.424{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61562-false10.0.1.12-8000- 23542300x80000000000000001381931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:07.930{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=759E203295BD97274383594BDEC4D389,SHA256=39D702C68AFE2AF370646465B220506C07574A47B8076EC30399A1AE0F48B9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:07.730{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0966F1F89F7D05C1EB6B515B10AE5E88,SHA256=595DD3DD29D4DC7D62B94D5C86101EA37987F0CA04AABE462EF8665A6E900EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:07.604{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C09000C3C65CC6837CF965C7E357F2,SHA256=C2CC4A2C7733E90731B45B21CA8582989D1846FAC2C3268D4B98C2B4F6DCAD5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:06.518{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-5846-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:08.682{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FED2BCC99A9EF7FBFD6F0173B7EFA4,SHA256=74BBA633BDD7249AC22152C19C74CCABA94DBF5C28E4BADFE2C28C45E9E8ED68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:08.748{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C297E31160A036792E1F6E0DD11D87B2,SHA256=494A0B5C2C8A34B73879494F136AE14DA0E01DD593421176AAFE70B821B48D0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:07.850{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-12330-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:09.822{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1456F391623ED76BB647104072715F7,SHA256=E6A1FEBAA2E0900AFDBD89E7F0B8391E5501E35D27C9787C8D25FBDB333508C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:09.766{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A400D69ADD4845EF3B14EC22289417,SHA256=82A7679200FF9A66A2BBC3030DC02ED97038E02A4FF43F060D63D80BD9F6777A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001381934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:09.066{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9119FDD11144F7164E3FE40F3E28C92,SHA256=4CBCAED902283DF96FA9316997362FE440C017661B457BABA303376A23788757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:10.979{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F276E43F33DD89E57065EA3B9A5C7C0D,SHA256=F6A112015610DEAEEAC7A62173C9F9F0FC499AEF0BC9D22E1E068B490D0C9E84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.812{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB7A-6152-2F28-00000000FD01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.812{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DB7A-6152-2F28-00000000FD01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.812{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB7A-6152-2F28-00000000FD01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.813{5EBD8912-DB7A-6152-2F28-00000000FD01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.781{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8FA5694F3B140DD57BF710742E9D52,SHA256=6F08B4AF011DBEB1810D7AC17EDC6438ACBCF43B87B57507058D0545C7BA5494,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:07.471{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61563-false10.0.1.12-8000- 23542300x80000000000000001381947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.744{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D80FD229123D6FD652C2E3C7B200633C,SHA256=69BBF2B5A5FA5CDDD30A1D007E7A9CCC4203D3AB37D65900157F3AFFF341274E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.078{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-23519-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:08.988{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-17893-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.212{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=499208AA2EEF693FAAFDA98046E66A71,SHA256=C9A26FC3196C7A8F3BABACF8BB2A22667C6A4FD6872F051AFB77AA8937BEA7EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.165{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB7A-6152-2E28-00000000FD01}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.165{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.165{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.165{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.165{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.165{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DB7A-6152-2E28-00000000FD01}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.165{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB7A-6152-2E28-00000000FD01}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.166{5EBD8912-DB7A-6152-2E28-00000000FD01}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:11.796{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8A9734AFEB8FBDA1A59C47D830A116,SHA256=61171B0FA133BEF635105283F94FF260F0ABD5926AD5935009C9E656C5B2D51E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.635{69CF5F33-DB7B-6152-25A1-00000000FD01}38883500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB7B-6152-25A1-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DB7B-6152-25A1-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.369{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB7B-6152-25A1-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:11.354{69CF5F33-DB7B-6152-25A1-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:11.396{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2052BBDAB69BF7A8D620AAE581F84743,SHA256=9A88B51E52BA1790577C821BBA3F02011AC24664708A451C8FA3B4E760C2B633,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:10.996{5EBD8912-DB7A-6152-2F28-00000000FD01}64966404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.864{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB7C-6152-3028-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.864{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.864{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.864{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.864{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.864{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DB7C-6152-3028-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.864{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB7C-6152-3028-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.865{5EBD8912-DB7C-6152-3028-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.826{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=768149FFA2FF213362BFAC24E80C4A4A,SHA256=C0A71EC21821FF5FA7C165CC44A6592E71165D491508A1B8D2EF2294261651EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB7C-6152-27A1-00000000FD01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DB7C-6152-27A1-00000000FD01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.682{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB7C-6152-27A1-00000000FD01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.667{69CF5F33-DB7C-6152-27A1-00000000FD01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001288106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.432{69CF5F33-DB7C-6152-26A1-00000000FD01}25681740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001288105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.400{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B98C812652D682F73BEFEB539688B54F,SHA256=71F9566F78636547B7400580A1163DB54A62E9EFF8C2C907C00AD0936ACA202A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.400{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF898ADD7AB672F8B3CD92EB494B7AAD,SHA256=6E54C746BF6E2412D47549EE38C141EE7599DBFDBA867E1F7FC43EC50A2791D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB7C-6152-26A1-00000000FD01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.057{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DB7C-6152-26A1-00000000FD01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.072{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.057{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB7C-6152-26A1-00000000FD01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.042{69CF5F33-DB7C-6152-26A1-00000000FD01}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.026{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5E6E2B45B5AEF954EB6DF42462F7D8,SHA256=99DFCA509297D08CDA4CA2AAAA7CA006354199E7E715D9E37B999FDDC3E90EB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.407{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-34479-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.134{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51303-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001381961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:11.261{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-29178-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.495{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A393FE5F7D410A656DCFC0BE2E76634E,SHA256=B75AB7969D2AE07524F5EAFBA5BAFD141EC2FC174439E16095E280C585046DDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.507{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-39900-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.775{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-41733-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:12.750{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-41654-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.827{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02A6A57894DC0743903C0A85C3A0B0D,SHA256=220E892FD8A8594D0B181833CDBE99210807D877460E15439952E1836E2C6584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.682{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B98C812652D682F73BEFEB539688B54F,SHA256=71F9566F78636547B7400580A1163DB54A62E9EFF8C2C907C00AD0936ACA202A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.588{69CF5F33-DB7D-6152-28A1-00000000FD01}3440996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB7D-6152-28A1-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DB7D-6152-28A1-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.369{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.354{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.354{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB7D-6152-28A1-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.354{69CF5F33-DB7D-6152-28A1-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:13.166{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBE3B207FCB3A62416D3509B3B81AB4,SHA256=53CEB3CB748A602B9249AD751AC20EAC47F9C9E7BB1C244D646F2CD90D9005DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.711{5EBD8912-DB7D-6152-3128-00000000FD01}57287132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001381981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.564{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9B3464B3081FAB23D6A180773853FB7,SHA256=BC9227FF838EE8414D9333FFBEA14F286663823B6523A434C42E75EE02F3A6C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001381980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.549{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB7D-6152-3128-00000000FD01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.549{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.549{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.549{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.549{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.549{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DB7D-6152-3128-00000000FD01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.549{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB7D-6152-3128-00000000FD01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.543{5EBD8912-DB7D-6152-3128-00000000FD01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:14.978{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EAEF19B188DA272245AA9B53F55EF1B,SHA256=1026CB5017C576F33CACCD8145BEC145B22E568727D4F2F127B36BE2A123AB57,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001381988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:13.868{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-46240-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:14.845{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE6B68D5EFB9729E3C3903D8D7F5684,SHA256=CA92B7C3C898085B462CB694E2E4544BF562813258E35E73B46ED4A6919C75AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.916{69CF5F33-DB7E-6152-2AA1-00000000FD01}37282660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.760{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB7E-6152-2AA1-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DB7E-6152-2AA1-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.744{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB7E-6152-2AA1-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.729{69CF5F33-DB7E-6152-2AA1-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.416{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A49FB25C5219AF17CF90B03CE0B8DB5,SHA256=8FB75AD7DAF9575176E04AF24BF99E32C8A7AEF5BC692C63E3C78F90FF4BB3FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB7E-6152-29A1-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DB7E-6152-29A1-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.057{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB7E-6152-29A1-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:14.042{69CF5F33-DB7E-6152-29A1-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001381992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:14.976{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-50733-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001381991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:14.632{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-45551-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001381990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:15.893{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA12662B62A30FED39E87E9BDF493B7,SHA256=4E3A4BC7C935B2B9A5DADBA698AD001F911EB23F86D1B596362FBC52E0441D71,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:12.486{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61564-false10.0.1.12-8000- 23542300x80000000000000001288165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:15.510{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550C661094103F74CDD15E7C15627C7D,SHA256=5362F74628E619725AD87F52115CE67935437DE5C05FC1A0609F93C5376CA399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:15.072{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48F96B6D3D8BDE0902A24D30B9CA332F,SHA256=18417ADF6C824048EB749C14299D0C20A3061BF20B203F3D034D49179E8F51DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.946{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2EB4863A04EB3A223A0F9B3B9F9A38,SHA256=B86AD3D5036E8CD12142CB75A2E3563B1780479DBD4176E6D31F4277506D5D4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.052{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-54865-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.011{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-52131-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:16.619{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86073350B24316FCBDB28CF2989AEBB,SHA256=E180329D371EBD68795CC423D9716E7CFB036E99BE30A20B85821655D97B3DF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.842{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB80-6152-3228-00000000FD01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.824{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.824{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.824{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.824{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.824{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DB80-6152-3228-00000000FD01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001381995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.824{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB80-6152-3228-00000000FD01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001381994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.825{5EBD8912-DB80-6152-3228-00000000FD01}6824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001381993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:16.124{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEBD2E407053D0C0C386739EE18A72B6,SHA256=B97843790157F0124CA306F50C83AB67A62B02B1CAFF8102799C0F2A18D7AB33,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.168{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51304-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.149{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-57848-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.149{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-59324-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.951{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C560A45EC011C0D888ABC4D49C8A8C69,SHA256=B2B390429D13484D4317A90155996EE3AA06D100DDB7A7C9F4F4CF1469ED8372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:17.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982F4AADC6510BC407C42D1B3FDAA09C,SHA256=EA8EC42F97BAC921EA9D8139D6C155FF2322178678627085D07CF2322254BAEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.540{5EBD8912-DB81-6152-3328-00000000FD01}46286284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.347{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB81-6152-3328-00000000FD01}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.347{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.347{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.347{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.347{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.347{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DB81-6152-3328-00000000FD01}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.347{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB81-6152-3328-00000000FD01}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.343{5EBD8912-DB81-6152-3328-00000000FD01}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.245{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF0E14FE7963B53194D93A7BDC260C6,SHA256=3D66A11AB0781430D3102A5BEDBB02F59107A4DFF51B4FBDCA03E3AE220341F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:17.110{5EBD8912-DB80-6152-3228-00000000FD01}68246812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001288169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:18.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF233B736363723BD093DD63860044AA,SHA256=4792E57E1AE5ED0E8D98DDBE27C1DE994C33A4485B242B98E3A61AA225CC1827,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:18.253{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-4728-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:18.330{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76720B28678C57E0E03BE224931A1B4B,SHA256=D560C91C8C94DB8607947F7654AF2496F0BE1CCA366D424874155EE87253C594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:19.637{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EDA00E2DE84EFED017AE83D994071F0,SHA256=A1D9E8C2054A36D584FBB35E30A3A1ECF1A7C04E7EFEFFA99069C7ED756DD925,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:19.342{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-8970-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:18.401{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-4860-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:19.414{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69DABD9BFF0D002399EABD970D0F5F72,SHA256=C7E478B2CD1497FC4F8A83ABABA92A1033F18DCC494C41950D5E9338D2291429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:18.999{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC348936DB66D4CBEC21022CDC1BCDD,SHA256=9969CE400B8B04B10CE72C3C76F4057DDECF78AA1143FE69E1D6821D950FD954,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:17.520{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61565-false10.0.1.12-8000- 23542300x80000000000000001288171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:20.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17BB567F446F6A47A084DD2A67306FC,SHA256=7CE5EAF7875621CED657FE8D5E2629AA9E8C3174DBB1A4DE8BE31066C79912CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:19.811{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-11719-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.515{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D912517FF9F24BFB2B95555751967E6,SHA256=48F47AE1D468ACC34817C7085724AA93C1739823B080A52A6E3FD50D83C2186A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.130{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DB84-6152-3428-00000000FD01}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.130{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.130{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.130{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.130{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.130{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DB84-6152-3428-00000000FD01}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.130{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DB84-6152-3428-00000000FD01}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.131{5EBD8912-DB84-6152-3428-00000000FD01}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:19.999{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54ED0959BB332E0568E9D9B0378BFF58,SHA256=1223A2F3BBC36D9EEB7FD3B306FAE11FCF949400034D7ECCABEF27250117CF10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:21.887{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B43A662D3BD5889D1F948C2399A8A70,SHA256=3E96EF7BA3D5D1B68796EF486C2A68C2582206CA0F3BB5781757C2031CEB1071,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:21.158{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-18324-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:20.438{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-13226-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:21.698{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=694BA0B212CD077F61694A829B4CC41B,SHA256=3DAB48BA84373504331EFD73FB928BC28AABF803EB3FC0FF13FFEAE3638BAB56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:21.030{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FBA6F18D693839F8E84B6ACECECD20,SHA256=D91390B08969E56D11CAD389FCB8E68DDC05D9DF2306E655532508F3C30F40E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.887{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A1371973744EB83BBE0640F8980E5F,SHA256=1AF157FB52FEAB8ED9D64A45BE690882A0BE68B5293E9EEDBFA7ADA3E6BC5212,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:22.715{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-22250-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:22.390{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-24271-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:21.570{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-17657-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:22.782{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=059616375783264EB63DA30F0BA1657E,SHA256=B822DC6C0C3164477C70574BFFA7149DAA221C7AC83E012539846D8C0A2B4B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:22.048{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61702ECD447BB302BEF84277FDC438F,SHA256=F0E52AD53ECF9CB7898A91EC7FD080D741A56983E8869BDFC58574E442B6EACD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DB86-6152-2BA1-00000000FD01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DB86-6152-2BA1-00000000FD01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.591{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DB86-6152-2BA1-00000000FD01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:22.576{69CF5F33-DB86-6152-2BA1-00000000FD01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:23.965{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B63F54F1EAC541A06957AFD67C193CB,SHA256=D170F50A519B6C09CCA47AADF4A645A33C6CFB894ED5D609523A883C5FDC182C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:23.505{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-29874-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:23.174{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51305-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:23.066{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3501C6B770330A17D4981C68E918A22,SHA256=0992DA32AB21145CCD66C53A47104680DE81FC164FDEB5F832CA5DD3446561E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:23.606{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B09F3FFFFDEAAF66E57BB54787F5F99,SHA256=521D3ECD2A20701E8694D349A318E91AC44885FF7C54DFEABC8A607490146B85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:23.606{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF57EB6A1397FBFE4AAFD9D125900B4,SHA256=CB10458BB862DBF012443C6F5F2DABA15C62A8B27007BE49085426307CC49FA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:23.794{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-26301-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:24.081{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76DE453E6F470AD2EC6859445BDC58E2,SHA256=8286AC97B9BA48F2769CF867EC61C44EE58ED2B1EB8C746AB2C68710A07B999B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:24.122{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88597917AE445D32EB1318A16B7467AC,SHA256=795A3D42801598078820EC49E9C2CD1AAEB6B8263BFF9FC1049906426D18EA1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:25.153{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7877FAC9ACA3D83D52B8B3FD8AF272A0,SHA256=9669780514CDF43BB075CB6EC0C0E290751761F19FD8F5FF8D51D0341AEB61DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:25.128{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90631093BA6E046D02B25BF2CE1C8EB7,SHA256=AC457CF2E543D68DE651A2D1BC3BE178FCF3E23185CABC371CB502082753F355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:25.045{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1470952BA0E7D6E5ADEE2FE879CBE83F,SHA256=8A798CEEC06BB56A934BBFA826C86B873AE7430C2D09ADF52F6F40997F945891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:26.169{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57EB295CBA72056833AA076A3FFCBE20,SHA256=BE85C484C8D60D7185A8BD0038BDEDF096D97A3111DDC37466FBA8F3CA3B39E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:26.195{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CC9E3DB9F5964564E1B11054B4BB6A,SHA256=72BFD89F8D145A9B19BEB3F2137994AD5D6C7E855B642B76F0D7651E0EB2193C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:26.064{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B46F7BAC41B10045A090A88B0F4F2A92,SHA256=7BA415FF874BFED17704B542D8A2AB1887D2A0B1A9BF6C78F821B2CEC4D5BA6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:24.977{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-31006-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:24.641{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-35570-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:27.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F79DEBF08C6BCCA3C4DD3BDFF707A3BE,SHA256=1499EFE2BBE3DA16EFE71ED9C32F0CB3D4B92290390C3433F4315B7CA657F6FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:27.226{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FED18DA62757BBBAF23E0402A1AAA7E,SHA256=BAC7E9CE7864AD5A42556C7F2A3BA702F8311DBA4D0318C7AB1A065642DD9974,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:23.505{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61566-false10.0.1.12-8000- 23542300x80000000000000001382060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:27.211{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CA13C25305B518A740A012309106CEC,SHA256=9F713F1C19BB169EA6A0764432EBE6B20407C3D6013AC0BDF10FA6C26273D94B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:26.055{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-35370-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:25.933{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-41663-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:28.434{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBCD85850886AE2982C4E7A0F2A9746,SHA256=16C7B402E1FA030B6388877FC406BA44480068055BD6C7DC834C8EDB54147191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:28.296{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F578B114A174862835CBC249F578DDE,SHA256=4C7DBC316FB9840B4BC87FC1442CD77AB80DEAE5BEF7182E053B4531867CCAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:28.227{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832602177C8FE6D65B55086D36F2709D,SHA256=CEDFBCF97294074D00E88176B1B2378045784E5C0DCC208EBE6C2E3D765BD93C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:27.139{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-39542-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:27.108{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-47775-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:29.497{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54ECEEA6214A84C41D24D9D3C47CBEC,SHA256=42EEF27C57B18FB2903833A57D02D889990669A7D1B99805E82F90ADBC745308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:29.365{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A7AB918E356A87814D79BA13AF7E1AD,SHA256=06D90CECC278C7AD4DCEE47F691A433A4F96C055CB06C702ACD8E7AFE86EAD99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:29.246{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925906ABBD68822E0D1484B11FE53052,SHA256=1E180763DEC496F7F14E9D6A5F06D3F7C6CC43E53CA8552E58D13098E497D102,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:28.462{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-54214-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:28.223{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-43874-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:28.187{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51306-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:30.669{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A8ED250C79D7DF72D51A3E6EBF6E74,SHA256=33747EA67D36699DD2EC0CA9A3AA21C3BCBBC164432309B1C64EDAA4B23F088B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:30.850{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-7250-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:30.393{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-52313-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:30.463{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C9A709174CECDC811588BF5ACD6FF49,SHA256=0BFB3A8EBA0C41FE1C5AD90EFD89CDD9B10CBD04825FCBCE0A40B0771EF26716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:30.295{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=200488B76D764C6B1A38C1C2EB821264,SHA256=B1C351E578762B03686DC05B9AFA82CA0A8F052506345E25D103F74F172D603C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:29.694{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-1483-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:29.309{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-48008-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:31.778{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9E5BB86D7DF59708721D1BAE18B675,SHA256=C6022C6F357CBD13123EACAE2E9FBCDF346B44DCBCC6EAF6F7670BA1FA7A6A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:31.545{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D75BFF44CFF7C56655740829BC4C187,SHA256=80B6DB9ED502DFCDBEBF63BBBA7D97C5A9E5C49456BE5B2AB983E4B0CB767F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:31.309{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE242AD35544B185B69B52EA1A0E1942,SHA256=B86E35F9A9D406FDBB805F24C6180E19745861688801B377712D45FD402AF7BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:28.520{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61567-false10.0.1.12-8000- 23542300x80000000000000001382080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:32.624{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=977C56F441ABDB3991002CA02E4FFB32,SHA256=1FFAA5D795D2352E05847CAEE7F7CA613DE3FDA545FA3F708EEDB9E734D39380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:32.324{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2C75BD07D078A42DCA1B66D6FC60C5,SHA256=77C47D937923DCF442ABBC280E8D9539D53F52333452052EACC04F564FA9C8A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:29.433{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-46715-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:29.358{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-46328-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:32.231{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDCA9DA793184B5D57167C89BEDC088A,SHA256=EA98BC963A5829B0913E3C28ACC488839A84CC93F4B6185F53CF5F4A0C90ED50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:32.231{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B09F3FFFFDEAAF66E57BB54787F5F99,SHA256=521D3ECD2A20701E8694D349A318E91AC44885FF7C54DFEABC8A607490146B85,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:29.571{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61568-false10.0.1.14-49672- 23542300x80000000000000001288205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:33.340{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDCA9DA793184B5D57167C89BEDC088A,SHA256=EA98BC963A5829B0913E3C28ACC488839A84CC93F4B6185F53CF5F4A0C90ED50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:33.012{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6E0C61837B0D1CF7906CBD66C717EA,SHA256=423295507B913B4735A53AE8A89B528B948C509DF59A503D0606C3AEC8981314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:33.761{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=524F4F2114FACBDD3DAD9513A03F36A3,SHA256=89199E8542F22F5887654446B7943F63283B1211ECB19D773520DF74A948E90B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:33.343{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1531BEF60D014B6BB4356CE69C7F190,SHA256=E94DA323CFC27928C3BE753FF69B904F91986AEF09074C68FC8500531DBB5C65,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:32.553{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-1841-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:32.246{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261568-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001382082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:31.975{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-12283-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:31.475{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56471-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:34.892{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D49D86BAC7091189866E676F481652D2,SHA256=815D575B946B0A5627924025C8EC6F6546DCA591ED4647F3785B0877588352E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:34.361{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD9E73D51D20589683B9F01E9FB6556,SHA256=2C7EFE4E9C463F657671FEA5B352E5787D2CA20B8CA9BB0A7CF849DBC5C6211C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:31.808{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-58919-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:30.615{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-52821-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:34.762{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B917497D1FA75C8B0107B136E6F01529,SHA256=344FE4B9F8649EDFDBCCA0E38C4CFA6BAEC03D6469600770C368231EF7D3DA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:34.075{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33EC6E12148336DE776881A3228CBB43,SHA256=A650CA4213899C9808B94DF3880C1ACE617F3BDEE0967DB2EC99F632AB0C3BDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:33.075{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-17919-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:35.975{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98D1EF8C8DEEEF42B5B0FD80634FF2EE,SHA256=2F83F91F26972776273235C8029C8660A5AE43AD4CBB18B3DC0B3A9259D65475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:35.376{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F36F2099EAFF0FC29D9BA40DADD2BE,SHA256=5421C3EA447FDA99BF8BD08DFC24FCFBD2AE0AAB113676DEB1F41556146BFFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:35.840{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6BAA3D60CC3301659AFD9630AE34B64,SHA256=E5262497706CAB0431FE105EFB28CEBAA5F467E72DE38274702AE7C8CC4EFEE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:35.075{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEA3FBBFDE1DE8CC614844B4DADDA32,SHA256=065474C9926BBB0CACD074B39FD5317A32A69E11542C2499393CAF9D80AF3BB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:34.788{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10677-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:34.336{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-24014-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:34.153{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51307-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:33.676{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-6165-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:36.390{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AFB2C4CDBED857DCB3D5A2ED6CF22A6,SHA256=29AB745B7E8FF634D67255F55438C524DAF28D6407A4F8E3BA3D00371393A77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:36.919{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2F5EFC05131A2F0E2C1CF042A463926,SHA256=2CB2729F0FED1C816AA2E2BEDD1872FEEA3427D5F9C9B9737A20F4CF769DFDE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:33.135{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-6689-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:36.091{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95E075AAE24EB45CBF236E073DED454,SHA256=B9BCC03593F030FAF5D9C72A4D00B5F2739F491D249365C83BDA1FA8F80DCAFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:35.905{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-15402-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:35.589{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-29731-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:37.421{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF81F15FD718B41539103E21ECD251A,SHA256=F88B49C9B61BA8850217BF739BAAF15C150F57901E407EB3076E573E8FC87EB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:34.442{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61569-false10.0.1.12-8000- 354300x80000000000000001288217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:34.213{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12161-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:37.090{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30E86BCACAEA4F33A861D34CB38C2B3,SHA256=831EE8E0673BD191F7DC9B0F87C67A881BABDDF3FF16B458A74439633C41FCD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:37.058{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=674F6B054BDAABFA9E214362F49F5BA7,SHA256=1114C6E7DBCB5C4C9B71A603ADC56198167056E7DAD9CDA9ACE9696F23E785BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:38.439{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F5443F602D804CBFCF3F6105972BBCB,SHA256=D83E30F7440ACC640DB1FF1D1FC19259750059BE770C0CB1777A0FDC6684DC68,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:35.291{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-17565-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:38.093{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6F228C20FE059B602BC2FF8B024345,SHA256=625AC8DA52D95926CD09128C1EE20939DD53244E6311BCD6A936C204F1E639DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:36.988{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-19734-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:36.920{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-36178-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:38.189{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6AB0F04724B78576645306A3E97D195,SHA256=152BFA3B8E2F10434ACDB312B1BDCE490F61ABEB199989B0A3356A58442ED35E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:37.999{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=713587F2046092824EF66A96580696B5,SHA256=26BF8CF554145FDF8155D2B9AB203B91A4392F516D8B20B889AC923DA8203CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:39.457{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C467BECFB459C1AA7960341E42DABBF3,SHA256=F73E3A66E987F21C3DD4D419DC8ED4A4BFCB762917D97BAF9F05B79960397E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:39.108{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A81FE0A5ABED4575875AC746865FA6AD,SHA256=E8ECA3DBBEEA168CE30F23EA430B4EEEC874772D400D4DD51AD4D38A27EE17FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:39.273{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29FF0E1F347634EF088ED5D048121EF0,SHA256=219E95699FAB8A5708961AF5FE6B5269A539AF91DE18E8136A0A740B4EB965A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:38.071{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-24101-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:39.077{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=533A7CEB2BAC60123E78D4DEAA607209,SHA256=96B7221CED6260513FDAB41A79533B1AB1A7F5AADD5342E5597683DE4F143BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:40.472{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE9C7EA7B973B24631E4A28E9982C0E,SHA256=D0913A8454026F872B34733F0DADB532DF1B56322DE9C0235EECFE5A04B44F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:40.218{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=513A4A0FB6E98E9BC5283696F3A615AF,SHA256=BB5452182C1D5330F58831D18B453AB6B039FF2691CB8B2EC1DF42E1C74E2DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:40.108{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A511B5A36CAB4112C7C9B1DF10EE7B8,SHA256=33D4BE5A13D1025C4BC3F765ECF47747821A7C656BB112A9274800A3F4D2F380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:40.356{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33CB484290AF6BAB82992960F50C0D16,SHA256=0D8A6CBBAA6B965D27EA1A2E085283D2B9D48F65D2D81B3C9090157E8FC3507B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:39.433{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-48601-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:39.201{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-28556-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:39.165{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51308-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:38.299{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-42748-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:41.487{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41F1D8361E3EB93E278D4F4E57E7A68D,SHA256=62798E461DAB841DE365FAFA3B159B13E894BF6CE061FA7022B9EC54386947FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:41.487{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA3182E6D5F4FA18FC3EA03A191DA27,SHA256=BF18DE74882F5212D109F3C7BFED72A06F578E66A165DCE919298584D10DE83A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:41.608{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B39A00187730BA59FD5C09A39A6D381D,SHA256=586C610002B6F5792DF050FA4AB318E9F41411DE1E63D1FD199E23C300BD2B56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:41.124{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E08E2EB00BD756364A60758B11BA29,SHA256=7E3EF9D413E7EEE27404E29013DCAEB8F7B14FC3EBFA201AC7E51FFBFB481988,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:37.466{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-28947-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:36.371{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-23115-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:42.570{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F64599B8749C93A74CF88907394A534,SHA256=0FEAF7ACAECFFB0B0E0F9BBC8B8F25E67D1F6FEAB2669982CE321193BEEC0CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:42.502{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B84D918B2B4033E456D628EC660184F,SHA256=0443B69DAE6629A63031CF2D00DA84C5DFEBA9390561C909C291E5FC66B4F387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:42.874{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=476407F1BC8DFB35F183CFEDB3246C37,SHA256=312CEFD98C68FB8AC1EFA6E7BE13F0C9270D727D02A999871888EEBB0D2B47C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:42.140{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD7FE120385142D8DCFDAC520158FA0,SHA256=EB0F9A56004C31036126557ED96D74832604684BF848F5FBA7DEB27E6CD8ECE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:40.781{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-55250-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:40.287{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-32870-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:43.701{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E3847C6BE7D48F5A8DCAE0301514BEC,SHA256=D8B3C171C87A06C16306292B23300741516AABBE19FE208809D1FA8348991FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:43.517{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA970BCD236D38E3C38312E4B5E06EC,SHA256=60D1369BEA141A7F34BCE2D7117966B42FE923EA01CCA8302375DA58CBDE0981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:43.952{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C59B62DCDF8B358F76E979A2572E8AC,SHA256=4270229B6CAC3F76C81C01E9422AD005DE1E870A1D173A1E9EBAA310B5C2C773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:43.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62319F6B353A4FB7F7615DE5AF70E7F6,SHA256=B6ADFBCD06ECBF6D140C31632F1B3A2BB388454ED6DB8EE905AD211E162A1C4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:42.500{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-41624-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:42.046{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-2399-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:41.384{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-36990-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001288234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:39.996{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-40734-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:39.616{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61570-false10.0.1.12-8000- 354300x80000000000000001288232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:38.887{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-35621-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:44.789{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BD6D744F1A6DB055FDE1923AE5702E4,SHA256=72890B42CA26FF1B50C0CCE383699B6CEAAD2F7505BBA1C1A11CC9EDEC9C4A26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:44.542{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2CAD3D341E56D9164579F0E0FECF25,SHA256=16A6BE0BE02B04DBF506A524A3D2DAA90913E1BE53CDDA9D2E3CE020D018F6E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:44.233{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=49BECB2C098FE630D49D6ACD5A35F049,SHA256=4AD712CF35A0D604603B20757AB67FBBCA96D1029CA5381FE21ED37C2FD7A523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:44.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593A4C0094635C9D9AB7E538185DFB1F,SHA256=26E2DAD004C06DDA811A23F1316C221E4F527C78C1DA7E28D3481157BC638071,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:41.246{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-47441-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001382128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:43.597{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-45866-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:43.168{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-8259-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:42.978{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51309-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001382125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:42.978{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51309-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001382135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:45.859{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7107A9806E8333A65B3751C74E232EB0,SHA256=016F87003FFBEFB79781448074D9E04E3502F3EB9BB024DB0096F0F629A8C5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:45.574{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF084E52CC72AB0F852F3E376239D5D,SHA256=889AC722E041BAEA54A13A55D136197055E2FEBEC644C58E4CA08E0F1CBE5572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:45.171{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FA916BFDC0B6E34A1AC6AF57558CD6,SHA256=841E1DA1A98A30B0293396DC4F24D8EC5F060268130183F7B32EBA80B0510F06,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:44.714{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-50252-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:44.384{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14170-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:44.224{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51310-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:45.062{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=088F88946A81E7C156C3CCA167BB1B71,SHA256=1E1616562DFE14308BDA66008289113CC98C6FD94F1F45C96DACBE13C21C8428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:46.959{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D03A0BF6279462C693BE1256D941F48,SHA256=B7F7A65E7B697C5097C7FDAD8F3DE4A10E8C8D93847A293F9ACC560726B320A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:46.591{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3549DA3F306B7DB15AE082176011692,SHA256=7C3F287C96610FE3ADE735756F23184D4755694AEE299EEE29B60B0AFFFFF3D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:46.968{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:42.326{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53077-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:46.187{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D47CCEACDF4D5C6073B5A206E1616DA2,SHA256=87325EEAC3ACA711F3E971EB739556ECBA53B413B962C3F0EDF0094E2E8A9088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:46.187{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B751E2CF1B030013BBEFE0F2918EB748,SHA256=F91CA148F044220534AD5481ACC41945450EDCC33A5C290EDDA4311AF4C01A79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:45.649{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-20217-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:47.606{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9144068811F5B0E368B5D7DB9F106D48,SHA256=146D8B94135872EAE731F9E75BA180D158DA5B9906BE2E968BB21A815B7C932F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:47.436{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDA7A48703BD00B1D6BDBCC3783881A9,SHA256=CFCF25CB64C956D7C52913605F2A4C94D16D4D11521F5983C44E466C8FB6021E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:47.202{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B177B1C30B7DDF63CD159BD0E963D9,SHA256=D788A9BD392DD509BACB11A71558B88D064867EEA4A1EDEF423D88148988C4DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:46.911{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-26521-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:46.887{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-58956-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:45.802{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-54650-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:47.490{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:48.622{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F70E8F1C16836D69B69453B1610CE87,SHA256=DE3F5C212B8C87C113112EBF08594F657834770C2A2BF28FC283A18593F2F40D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:45.413{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61572-false10.0.1.12-8000- 354300x80000000000000001288252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:45.304{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61571-false10.0.1.12-8089- 354300x80000000000000001288251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:44.703{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5994-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:43.440{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-58494-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:48.561{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDA15BB955D6BE73E41E44F046ECF904,SHA256=AC43C6B69B5779B99A43D18EAA9AD7EBE5DD230728C952C2B343FF7DA7BF60D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:48.202{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C9938CED26244B9CAFDD63CB5D1EFA,SHA256=C22B2D4BF51426B2089C572132ECB71838DCB82D21CD3E6DB840ADA23AF82ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:48.043{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEBDE5ED8FE64526D9686CFB0D124017,SHA256=02D4B3EF357528DC658578F839FC71B550EEDC0C6AEF3C3A358363677026CE67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:49.622{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83793E872C3E010165204D8829BD951,SHA256=F2B314BBDB46571620D60829678EECFCE1F3F231E3FFCC899E3F7E2B84E2AF5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:49.624{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F158DE979B9C7C7FF1C62B9D948D599,SHA256=4C2CF4BBE9909E56A533FF056D1656C9987CC1D265C0FCD70A193CBA6A0118CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:49.218{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F333B8E1F9B3F4F134FDD20A3D715C,SHA256=05DF304C15754DA559D8421A4B025B291C83EC62706F103429FBBC1B00DF6FAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:49.053{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-8051-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:48.466{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51311-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001382148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:48.232{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-32782-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:47.971{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-4259-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:49.107{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE4FF0CEFB5E7EEFA25D91647BD0F5DA,SHA256=BA0C17D7E4938105F8FA3423425D33F2ECC764FAAAF90BF7A1B8A561DE9E2FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:50.643{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC4BBA113D92077CB8D25AF1B304C55,SHA256=24D41187282B6EEE24524446AD3C59CC01B0C386B9FC3BE7D4BF03987030BE64,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:46.934{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-17531-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:45.821{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11623-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:50.857{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54DD90C39BD8A9A5483812A294D158C6,SHA256=6734A413D50A732D03EE79B81673CD56E501D21C0C5B774326513D9F14988633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:50.346{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5709MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:50.218{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0679FCB9F331926FCD3E9BF4A919ED8,SHA256=FA09768684EE41CE83B3D4588FFB4EFDFEC63E31406F59E17E062627DEBCA689,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:50.029{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51312-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:49.562{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-39434-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:50.322{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EBD47329B2EED84AD149F6B6049323E,SHA256=15A37DF413C9287AF13980952F9DFCF68BE7394A46AFFF52EDFA8330723D41A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:51.659{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B59915CAB49D06CF27AE4E6DF48C24,SHA256=EA8E7EF50F75A4822881089333303B63A7D292ED6800CDF754420EE3C0535383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:51.936{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A95475EBFFD94F4B59C62D7D7FA2EED8,SHA256=D2A2BEAA6CEE2ADE7F8CFF469F6DF19DD78ECF88A95422BB7544BA15E16022CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:48.093{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-23105-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:51.358{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5710MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:51.232{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1646F06ABF718E920A53069499FB465C,SHA256=74712BC2D860ED978B4CA25FD12BA2CF443B2B7A98A57F55BB6DF55814DD8D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:51.406{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A76B0BC48959984C52FD9509DC37E08,SHA256=3FB9B96A6299D9EC314F3957816AEFBF4E6229B2FF90EE99BD582AFCB7A745EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:50.242{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-12570-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:52.674{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D586BFC0FF668F236BBE4360D45C586,SHA256=65622629BF132FDC1F546861F70B3E9CE1CCB4C888B55DBD236999CB329B29A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:49.229{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-29243-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:52.233{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5952322DE475F82779EFC56E9F293CBA,SHA256=7C626273FED9DCC8121382622DF356EEB83CF56562A857A022E8B7F7191C5AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:52.489{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53EBBFB42C0FCBBC306061BC1B833236,SHA256=C0B509B58A382826328DB6300FE5B8F1CF5D90D021B3B7A1BEFCF7511DF13093,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:52.149{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-51804-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:51.334{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-16907-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:51.105{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-13315-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:51.066{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-12754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:51.050{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-46325-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:53.689{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B22BB0AC41C99E584C778F85A8054E10,SHA256=AFCFDC075A61936D7E9EE36DB3D3A5705447F6BA730573F4ABD1D91EE7CF1C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:53.233{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F853AD79073C1396C9ACAC4D6D1EF3C,SHA256=105029320FBFDE73F7A708FFB7BBC157E9D46133E20D8A7C9C64C870418CD24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:53.520{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66CC9439A46ADFB4CAFFF5D283FA31C7,SHA256=22AE495C6F2AEE0995905E842ED03CE6BECF88F74895A87DB7FE6E0B8A8EE389,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:53.260{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-57400-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:52.419{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-21456-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:52.318{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-22003-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:53.361{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1392MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:53.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62A2AE53F80BE26548399656E972117C,SHA256=356175D7F033F100B00DECA5DBDB74AF01A9E22042404E5043212D7868116771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:54.704{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A8CCB7D1F01C01C71BCDB4560479F1,SHA256=DA6E85CEF52644C517F3F43661C8BF1FEBEC3C9FE6BFB1C2558CF3C22CACAB92,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:51.439{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-39805-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:51.428{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61573-false10.0.1.12-8000- 354300x80000000000000001288271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:50.310{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-34769-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:54.233{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01244D4C537B8CE138CFD48D4C122C2,SHA256=72398EA1D0596AE6E4A9BCFECA2A5BFBF4532AEC2DD86F23C18EF1BAA73B1F76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:54.604{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE6C6B6C3FD2A9D79D3FF1AF2280DBAF,SHA256=D4B72EE653E39616430A8F25767201C72F10ECB1AEF05813DE8590F63D1107D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:53.403{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-29701-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:54.374{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1393MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:54.186{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10922D70555E61EC5D75DF01FC1CBE49,SHA256=90C6FF13AB01D34D84006D7FF1993FB185CB8DE5F404DD8B8C0AAE249573FB5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:55.723{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26E2EFACCFC758E74142DEE718787455,SHA256=7FD4285693F77D23DD792E8123A0A29B0C53BA8CE8A5A462A99BDC76571345FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:55.707{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E6F189E52C9DC44E6A2849A1604492,SHA256=9E9D918F0F02695680C60C9B5A97131A7AF3AAB1AE0D54D9C50997A92AF4851D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:52.670{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-46394-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:55.389{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A45C4556E3CB7165A47770EC5ECFFCD,SHA256=A43890949BE24B93C81ED2EA6A70090FF6854E457CE8E3D3524CF9204350ABFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:55.249{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCD96EB8A87B3BE03EB6FD7F8FDE2D9,SHA256=BF1DC21708DFA9BAA15E9F35AE61AFA7F9BCF56F05072BBCD4002AA9B35AEECC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:53.501{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-25427-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:56.824{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8010E52FEB443AB630CA45069F79021C,SHA256=E376CBC6F8E2401C17A536C55391472FD9A8621D43FF8761E2D145E907698EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:56.708{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A28E3BDABA2EE58CAAEF4BDADDD0C0,SHA256=BFA7901DC8B952028E3650AFA636A8D13DF3E9C3F75DB0B2C02A63D1F5FD0B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:56.530{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83D2A27EA3118BC521A4717A53C4C9E8,SHA256=FAE100BB2804CC91225FDED06F8C7CAF801312DF79F069038D4AC1B1A8981BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:56.249{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C07F268A3DA5EA7F55105CA4B281160,SHA256=7BCE466BABA7C7EDEB35E1C206893540FEFB8CEF4512338160BED3122AB3EE48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:55.926{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-47211-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:55.669{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-33996-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:55.632{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-9823-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:55.180{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51313-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:54.786{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-39230-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:54.587{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-29851-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:54.485{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-4295-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:57.754{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D547193763B3ED79D75696474A47BEF,SHA256=9336B8D0E666E97C6DE4C31136ACF1CAFFBA6A0769313FD7729B5B3AC21366D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:57.483{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606B6F00779BC4430AA1F172A4FACA6B,SHA256=D44FC5E0B773A89A088C67F4D70983BF76D8D374782A903A5282E6DEC899E980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:57.942{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CB60DA47CF327CDA391511340858755,SHA256=D0ED4F8AADF664CAAF2992080B0C0848E187E85B1FCF8DD19D569EB1D032F52D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:57.723{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3055C4E34FA9C4F4F159FCB514EA878A,SHA256=2F55A00F30A95C0E6C14F285AD906D42AA968BA27C8409B08E0040B722BCF9EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:56.806{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-15976-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:56.751{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-38356-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001288279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:53.761{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-51896-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:58.744{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AB30D512EAAF32052F15A9ED955C5A,SHA256=EDC6ACC0A0E620FB4344B69FB89828E8CE4E0AC65D44288B90D429C917CC268D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:58.847{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3BC98B2A6D27368BE71ADCDD25BC49E,SHA256=C9428A368FFA063DC999C53E239E2B86AD64D685EC417A24CFF6B45E6B6698C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:58.676{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D5DD729EC7D2608365D39797012FA5,SHA256=077A5FB427C301D9855EEE1FEBA72C43E611C1F736D4A548483EB12FA8C202E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:54.985{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-57867-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001382195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:58.186{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-4308-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:58.036{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-21884-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:57.849{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-42764-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:57.090{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-55608-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:59.791{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60023F7F03C20BDEFE03DA516C991309,SHA256=F8FD3744EEB254D8952F68357A5507940DEA7012D0CE25E84EC9457504297839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:59.988{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19A4A1C3B7660433214ABC52D0DB07EC,SHA256=D81B0A457E0244A813E4D4C31822723D7FCA1F954FB2109C8F28817455F54F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:59.769{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC5A58A536CC9EDD2659C0E305CC39C,SHA256=31DCFF64158678D52C2D3F50D9451654B73A5BB93A16D6362794B3FB44A1D6D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:58.951{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-47217-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:59.022{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BA9E453B1BD926857ACF723C08DC392,SHA256=61991E497D5A4E08F7C2C683F2017FC32F088C63EC3F430911822369E33AD841,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:56.133{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5237-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.805{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12854B693A024837E9DA1594F4588200,SHA256=DADE00FCB70DC498C34D2A0BA33A50568AAFD0788A4AD2B145024649372F061B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.101{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-51821-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:59.414{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-28256-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:08:59.288{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-12655-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.206{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96CCCFD7EE3D36419C54A9F45B5B3471,SHA256=9925DD4949366A03EDB9F740316C89551BDCED57CA2DAAB1927EB8AB043EABF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:57.235{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-10770-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.842{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6139C029557F466064699BDE2D70844B,SHA256=B044BC96254F97E57A620850CFABB98731884566CD0982E14D0EB62C11D161DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:58.380{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-16778-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:57.433{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61574-false10.0.1.12-8000- 23542300x80000000000000001288290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:01.129{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=515D2F5CC4D6C7DF1BDCF660B4D6B68E,SHA256=0957362D13DF909842F5A285C9B1DC2774040E72878707B81129C1C30104E029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:01.004{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9FD475BB58011EBCBF96B0D375BB3C,SHA256=D569898E4D31AB78BE8435A45AFB5F2EE02C0ADF50C8B9112FFA95F15255BB0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.360{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56824-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.326{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56753-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.303{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56658-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.280{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56573-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.258{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56362-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.232{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56225-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.054{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-36609-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.032{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-36487-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.010{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-36376-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.987{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-36256-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.964{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-36037-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.926{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-35788-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.889{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-35492-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.853{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-35299-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.814{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-35179-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.787{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-34902-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.749{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-34808-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.727{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-34663-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.561{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-21169-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:00.214{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51314-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:02.873{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EAFAA08C7870F922F92C0D12DEC96D9,SHA256=65DE52636D8D5F809DF75DF243D67AB432817306E6AA92CCFD7F8E95340C2C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:02.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A993477588DCB2B7FFCB826F8D0348EC,SHA256=A7F0F1ED021E368F7B892D132527502F712E398647757E8BCCEE5554E168AB59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:02.238{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA42769525C673B7F09DEB63F1A2B3B,SHA256=E1ABDDCC895F86AC2967AF2548DF1962332AE3592ED1BB048278BB8F9DA9772B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:02.055{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-31422-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:02.023{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-31278-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:02.000{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-31100-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.977{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-30967-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.954{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-30815-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.931{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-30629-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.905{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-30302-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.874{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-30140-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.824{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-29918-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.786{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-29676-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.748{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-29544-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.725{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-29389-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.703{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-29238-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.600{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57829-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.578{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57743-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.555{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57649-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.532{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57562-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.510{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57472-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.488{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57378-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.465{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57272-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.442{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57124-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.405{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57036-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:01.383{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56947-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:03.887{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806411164A7035F979BDFBCD31C4147D,SHA256=F4667C9668B07B8FF7CF27E5C9FC61CEE94B683DC5C6156B7E3417834D30CD2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:08:59.560{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-22701-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:03.426{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A6B8E5C0727BB2DD0569A43B8E3F53D,SHA256=112BB2A41C8A72A23B119BF7E2588E9C13898CDBC527CEA62E76FDCBD592358E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:03.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E554FE6F3A29B6633755801BCC989AE6,SHA256=1A96826505AA040550E9559BC3C95DC689ECAB00EB7567B9351F526959A00183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:04.902{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E224B3CC2B92A641571169DE88C7CB,SHA256=B45B4FE57AD8AFDE1F91A6594B7C9DD27FC46A7CCB55658E31888A488286B497,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:00.688{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-28731-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:04.582{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3C6D57756092B236A1113C00AA4521E,SHA256=366FC10D3AC1207F981B113DBA8F9D3C37C54915E261CA955DF5F1E9297A3E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:04.316{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742E29FFEC9BD78B59A4042BEF74BC68,SHA256=A7613F92BBD14C693B64E520CB6CB7D1B90F10F2CCE685639691D51A9858E964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.970{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA8E03C9C6073076479916DBD874D5C,SHA256=618A4679500390BFFFD6D5DDE30C5F3BC7C3800403DE070A9F8FF6AEE8EB1C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:05.801{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8D6352D62C330307C8741D4CF2D5F42,SHA256=2B29BA23BD29E73BC62DB81AAFEFA07667E1C8DA43D4F811B689346C353C03AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:01.813{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-34418-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:05.332{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C717AB2B0ABC065DBAB2B1495610A1,SHA256=DB19B8189963150ABD96F20315AD05F929DAEE209588BD8F11C1459D6D32B830,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.410{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-54531-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.373{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-54336-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.349{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-54072-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.312{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-53809-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.275{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-53664-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.252{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-53487-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.229{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-53241-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.192{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-53098-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.169{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-52830-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.117{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-52660-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.095{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-31482-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:06.894{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3D3D40F06D58BF82F1AD536C51BDA59,SHA256=D4CAF27575A32D6CA35CBF7F57E9A07A5D2D3A81CBBAEAC9B81F16F88B8AFC31,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:02.480{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61575-false10.0.1.12-8000- 23542300x80000000000000001288304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:06.347{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723BF7335E7050B974B62DA784EEEB2D,SHA256=022419A88D9D9548049C9EFDB11AD99840D87DD313CFD4594499E3BF0E83A1FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.316{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-2080-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.291{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-1749-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.253{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-1533-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.230{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-1251-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.191{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-1081-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.168{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-59779-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.131{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-59452-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.096{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-59020-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.077{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51315-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.051{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-58933-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.019{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-58849-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.996{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-58659-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.972{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-58376-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.937{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-58220-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.913{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-57990-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.891{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-57843-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.868{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-57627-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.841{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-57314-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.812{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-57120-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.778{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-56980-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.739{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-56867-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.716{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-56711-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.693{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-56522-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.669{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-56216-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.632{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-56070-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.609{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-55921-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.586{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-55784-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.563{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-55651-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.541{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-55516-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.518{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-55378-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.495{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-55221-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.472{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-54969-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:05.434{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-54791-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001288309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:04.174{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-46409-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:03.079{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-40551-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:07.363{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7FDBF57D7070A4046CDC1397CFD975,SHA256=029CDFBDE5D61C99F5F5E8C0999ED4E9BEEA2E5D1C3E62267789AF6B1101FFFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:06.340{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-2256-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:07.000{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C39DA4D5524B720F029DCEB438D90B,SHA256=3ECC50E1CA3C03BB6CF605C30EC5DABADDB0F758F22D6A8EB8065E7FA61B882C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:05.282{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-51973-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:08.379{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89795342C77BB465B0102AD24B9C7244,SHA256=10431E1AC95FC6635D41A065A8F1936D769F63ABCB19397D39DD81FB450D9EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:08.014{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97AEB0AC86D5034B2FC5D436E744AA0,SHA256=0319A3AD40427DD003C70F94CC96166454F928FE31023996022F57C954D4FE45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:08.019{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E2C3722326F385334C2914D16475E52,SHA256=F6AB8E631D8D7A39109EF9DA95021AB34922DC2742BED72923996F802E059828,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:06.405{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-58102-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:09.394{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684993B5A9598D79565CD12501EAAC7C,SHA256=563FB62538F9D187545102FDEA729B3B67BCE64758DC98C3095987F7EC27E02E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:09.035{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5659187DF64D981FFEBAF271F5027485,SHA256=1D71D0996E9643DE14BEEBD5BECECDEA10B2FA89FDA26E626133773969FC906D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:09.207{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCF6034375FF65437EFC0B7FBFD7631B,SHA256=49FAC612D9A6CA4D61717A06F6EB7FE16F2315C5509E6639CCA18D1DB8123874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:10.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9371B052FBD54701ABA35E39555322,SHA256=A9AA7D3DA2C0E158DDA5F339AC34CD592A508D6F86C15C4F3B351D9BB7A6518E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.854{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBB6-6152-3628-00000000FD01}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.854{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.854{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.854{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.854{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.854{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DBB6-6152-3628-00000000FD01}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.854{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBB6-6152-3628-00000000FD01}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.855{5EBD8912-DBB6-6152-3628-00000000FD01}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.754{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=704319B0958E93B5971E54FF04683633,SHA256=31518FEE85CFF2D3FDD98ACBB7A873E5FB16452C6E3E52AB87C601B894C8E78B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.386{5EBD8912-DBB6-6152-3528-00000000FD01}30326520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.171{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBB6-6152-3528-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.171{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.171{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.171{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBB6-6152-3528-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.171{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.171{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.171{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBB6-6152-3528-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.171{5EBD8912-DBB6-6152-3528-00000000FD01}3032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:10.054{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9AB40A4F6A49A2C99998B355DAA1B33,SHA256=4761AF58C2A6A6E0970ABF3D3EED98726261F6A6F4BAE37A9970794B85E538DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:08.449{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61576-false10.0.1.12-8000- 10341000x80000000000000001288331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.551{69CF5F33-DBB7-6152-2CA1-00000000FD01}2841356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001288330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.441{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C6E5ADC056AA5BF1973A4DB1C9AB1A,SHA256=22689F5BBCF65CFBF458D18528F598C2D4F8133D46E65F6BB4D718F963AA4803,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:11.209{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51316-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:11.186{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7702B994462A977DD5D7AF070CF3E14D,SHA256=1C05B82DAC4E5D3FEA560E8F54580BA329C782A4A74921421BF1AE7156DB4F2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:11.186{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9557722ADC4B29766404A4525E80AB2D,SHA256=A200C0EA0F9B06817B1A36693A8102FE4973D41395F26600978710A5F03B7657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:11.070{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0F566F3CACF5A688F4AC3A8D4E4BDA,SHA256=3B70DBC8357265ADAE4B3E6A440F0975B3D92DC88547EEF2EF64600F2D47B7DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBB7-6152-2CA1-00000000FD01}284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DBB7-6152-2CA1-00000000FD01}284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.379{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBB7-6152-2CA1-00000000FD01}284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.364{69CF5F33-DBB7-6152-2CA1-00000000FD01}284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001288361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBB8-6152-2EA1-00000000FD01}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.707{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.694{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DBB8-6152-2EA1-00000000FD01}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.694{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.694{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBB8-6152-2EA1-00000000FD01}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.677{69CF5F33-DBB8-6152-2EA1-00000000FD01}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.660{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665F25074ED6F66D07FC1CEA940D450C,SHA256=55DBE35C18A8C2A4B58B04308CBB89E176B143D2E4BD6AD8516A89B2B7FD1BBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.869{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBB8-6152-3728-00000000FD01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.869{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.869{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.869{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.869{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.869{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DBB8-6152-3728-00000000FD01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.869{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBB8-6152-3728-00000000FD01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.870{5EBD8912-DBB8-6152-3728-00000000FD01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:12.085{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368736E8D88A418F1494159826E27A81,SHA256=D34585D2F91B20570B914747E3F22E6123725C716531001B413B9D628F1CDDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E50BB815E2A9A806690C78B5DDAB436,SHA256=E8D4CE8AFDEC87C16845EC6B8070AD326EBBD8B02DE45417DFE90AB33C6F0A93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.269{69CF5F33-DBB8-6152-2DA1-00000000FD01}9121120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBB8-6152-2DA1-00000000FD01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DBB8-6152-2DA1-00000000FD01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.066{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBB8-6152-2DA1-00000000FD01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:12.051{69CF5F33-DBB8-6152-2DA1-00000000FD01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.879{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02BCCA01FB4C54F9DC21120B7FA7492B,SHA256=EA107D318F786F2C8E2812B8D9440F4AFFE16B7E955592AD97F02C8D84C2275E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.816{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7AE2F95485019051A31B56FE01E7B50,SHA256=805A33EAE5A8275024809A936B9015EF164D01727DB25A81B68208C161BEEB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.900{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7702B994462A977DD5D7AF070CF3E14D,SHA256=1C05B82DAC4E5D3FEA560E8F54580BA329C782A4A74921421BF1AE7156DB4F2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.553{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBB9-6152-3828-00000000FD01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.553{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.553{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.553{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.553{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.553{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DBB9-6152-3828-00000000FD01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.553{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBB9-6152-3828-00000000FD01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.554{5EBD8912-DBB9-6152-3828-00000000FD01}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.100{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B31CCFD072A79B66601FBFFD8B48FF,SHA256=BD3A8D94EA0E5F272D1C8F2CFE6E87F25674819305C9C5A9EACEE72B341A34C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.597{69CF5F33-DBB9-6152-2FA1-00000000FD01}12321572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBB9-6152-2FA1-00000000FD01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DBB9-6152-2FA1-00000000FD01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.394{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBB9-6152-2FA1-00000000FD01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.379{69CF5F33-DBB9-6152-2FA1-00000000FD01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001382333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:13.054{5EBD8912-DBB8-6152-3728-00000000FD01}68165572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.957{69CF5F33-DBBA-6152-31A1-00000000FD01}3636744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001382344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:14.115{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBA1A877C7B790EA9832E8CAF0E752F,SHA256=C44AD738AD930F587B7B3A258285BF43E4DB68CBD5A23EDB9EC195489D1F4DEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBBA-6152-31A1-00000000FD01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DBBA-6152-31A1-00000000FD01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.769{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBBA-6152-31A1-00000000FD01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.755{69CF5F33-DBBA-6152-31A1-00000000FD01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001288391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBBA-6152-30A1-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DBBA-6152-30A1-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.082{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBBA-6152-30A1-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.067{69CF5F33-DBBA-6152-30A1-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001288378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:10.667{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5347-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:15.957{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F675459689C4C58C4801DBEFA01A37,SHA256=7FBBE5F659C1C2A1DD768E671F9234C483F0EAAABC86D35B826559E2504FBAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:15.132{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1F39481E5FFE98A4DAC69F9E206AEC,SHA256=05359054261E663D3839454679C1A6FE02BA3CAAD2432BBEA3A747C5D96F9C8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:11.825{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-25733-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:15.066{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0BA0CFB38DF592C0C78E21A2B15E041,SHA256=EC5237B4CF0CEEF9E8761F66D20162D9B17EBCE15331F74DBFAD6739BD0AEF03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:15.050{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22F7D28294F4C458636802AD8A2F1D6,SHA256=D4943B975528C185A986D6554AF178E23446A57A2677FE358446412232657792,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.850{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBBC-6152-3928-00000000FD01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.850{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.850{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.850{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.850{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.850{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBBC-6152-3928-00000000FD01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.850{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBBC-6152-3928-00000000FD01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.850{5EBD8912-DBBC-6152-3928-00000000FD01}6360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:16.182{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2DA9C13E6652689E610CE8BC020168,SHA256=72BE4A3FA3CF271FDF9DBCAC5006BA860A46B042C6C3811D3D7DE5F4A31E5354,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:13.235{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-32899-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:17.113{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C3977A196E28446C190B23EF4C275D,SHA256=757BC25441AD408D7194A95A3D71FCDED5312E8F73C69846A338A2BF4A9210CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.865{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98028365CF967C171B8A7D934D1D840D,SHA256=B272711D1AB2ADCE9D04768E2D861D1B941A9EE85ED4DC271D9D09471AFD9540,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.711{5EBD8912-DBBD-6152-3A28-00000000FD01}40847104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.512{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBBD-6152-3A28-00000000FD01}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.512{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.512{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.512{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.512{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.512{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBBD-6152-3A28-00000000FD01}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.512{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBBD-6152-3A28-00000000FD01}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.512{5EBD8912-DBBD-6152-3A28-00000000FD01}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.196{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDA3FEB81C8D79CE78CB5BDD2CBD9C6,SHA256=DF6A640E8FCCF0163A9FB3A352F92CDAB37EB4C3233EEFBC850CD948404B3925,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.065{5EBD8912-DBBC-6152-3928-00000000FD01}63606204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001288411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:17.082{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F82B554940A22B52D68D85A01EAAECC,SHA256=30F499E35BF01B72849FEC896DA3E11F48798C0BF88EEDB85E660269C8B5D690,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.449{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61577-false10.0.1.12-8000- 354300x80000000000000001288415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:14.361{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-38348-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:18.362{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45AD3AC0D28911A523301314E40BD525,SHA256=26FFA6B7A756866C9BE73256EDFE9DC3DE21B3D452D27B255C852A12B2E6C28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:18.331{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0ED7BD994E6E5E4AC010135B0B9A9C8,SHA256=9C24BD86E4F8B7602FAF0CDFE5D9C77FDAF55A7B4CCDB6F0134324AF340A6A04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.280{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001382368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.249{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451FDB1496776E3F12E2F03E0B6E896A,SHA256=3E68BF7C813C911B4E53C87FF86C0D438DD30CBE894001F5AD8879ADE6FFB8F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:17.242{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51317-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:19.628{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85D29AF99ED6C30ED13A63A4DB665061,SHA256=B297AAB51CD37183A1164BFAEE54715743D4FAA004502F8B15B8BCA545273A2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:15.475{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-44035-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:19.487{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4872CF6D25BDE2765243D648E07C8C8F,SHA256=B2BDEBB9DE2F37EDC0A5C6DF0178C18B507A45E1010AC2EAA1197F45AE4ABC5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.851{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-20650-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:18.829{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-20473-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:19.379{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16523B681D3363C6E150B7210C292DC0,SHA256=3576FABF2F98C3D1FC7BD01DED3BCD837C53423CEA8FB85D6AF31A34B1B668F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:20.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC885B7921D895A53DB1CD6DFBE9485D,SHA256=3FE04D026AB88D95C911EB6C9761507B3590FB120378D0A90F537DE276AE3A8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:16.882{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-50921-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:20.503{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918E17A6CCE038AE80C8ECBD90FA4FA6,SHA256=F79913374FE7CEA18B648C04E1647381715BF319C9AC9B1E7344ADFDFF061F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.396{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75956BA4246745C394D8ED6D869BCA9A,SHA256=D44E3A11881BE749F8C760838F908A853C69CC8014A7581C69DBD8755AFDBFBF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001382411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:09:20.225{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b448-0x85915b17) 10341000x80000000000000001382410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.163{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBC0-6152-3B28-00000000FD01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.147{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.147{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.147{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBC0-6152-3B28-00000000FD01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.147{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.147{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.147{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBC0-6152-3B28-00000000FD01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:20.148{5EBD8912-DBC0-6152-3B28-00000000FD01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:21.410{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D3E305AC25F57086DDACA4D5C4019F,SHA256=428F6363DB21C24E95B932F70213CECEA54EC4B9E1CE867D36E94343663CB016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:21.909{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8278A45A7904B9CE33F70078779F2348,SHA256=9B983BC48C296D8D9E0948C919704C3B615DE49A4D658C704B6066CD057A65E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:18.000{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-56671-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:21.518{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FE74672EA3E37896F6E7B1B302DB1F,SHA256=B9854C8D62BD423C72DD41F7718046B5C2A6BC351B07B68429D66D2654E05A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:21.163{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10DB5A59B68B1A48990AD7401E75D925,SHA256=795E17D1138BF45928A7A4E4528D62759B8768B86742EFD1D218727601903588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:22.425{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2AC0EFEF6011D4120B89DC6285451F,SHA256=BC94C4871C8C470343FC9FEC1961C54A48EF384DF9230999DADC165468578E25,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:19.588{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61578-false10.0.1.12-8000- 354300x80000000000000001288440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:19.093{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3442-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001288439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBC2-6152-32A1-00000000FD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DBC2-6152-32A1-00000000FD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.565{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBC2-6152-32A1-00000000FD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.550{69CF5F33-DBC2-6152-32A1-00000000FD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.534{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0892B9C3F0D586037C22F8CA5F4B85DD,SHA256=3228EA4D89D4B27AC6EC1A87DEA9D0312FDB114D50D256F4B92B4B07CEA1071F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:20.297{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-9945-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:23.534{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40020CE6D38D348A1F86869622C18735,SHA256=3B3382D3CCEE66B09ED14ADC42CB2A8B6EE5624BC799555A22C0812672A985C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:23.254{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51318-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:23.425{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2CC91D40A5E728DD2DB809E682C0B7,SHA256=E94E8A645BCFFEEA5609673A78E859346A93605E718A63B5A004536702FE3261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:23.034{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86D55DDE3A9E3B185DA7D7DE79945971,SHA256=F8B145F507D0162132FA79113A559735C7F3A9D9B6AA7D7BD13A8421D671DEBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:21.405{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-16012-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:24.550{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11C7A913F4B7AEFFCDFED84720C4071,SHA256=C802425EF3FAB04C2F424B2CEFF475A3E8485CC8084CEA4793FF81203692042C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:24.425{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3704618BF07FD3B40EAADEA3B927093,SHA256=10D1916FA2AD0EC026D8A0100E83DF225C5B8A50918D140474067983638D347D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:24.112{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3805E9EC37C22EC8AD3BB2FC2EA2789,SHA256=0057C9A968E7DC51B8A08E2E6CC7845DCDCD3A2562F69919D8D2DF82DCE1F160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:25.565{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BAD04C434CAF28979813CD1BA20093,SHA256=A0051B6450AAAC2ACC852C905110F0C177D3A3DFE2E505A9E0E7279F46584091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:25.426{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01903BF7370E47D5C9295845E0C115F9,SHA256=3E9166B51083A86CBB04EDEFCF5DB96A8E263944EF93672124631B50D6989F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:25.393{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A39A42B46AF43A5BB148DAF7C1C2A1D5,SHA256=2476BB35E0D7109B90D2A01B9335155A624C74041323D8A3AF5424CD59C940A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:26.721{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3D05C494A3B3DF9949A5CE06111F6B7,SHA256=7D452EE8ABFC8CA7181F9B62B679315DEDCE83E3EE6B7794C17A8EC1AD34FFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:26.581{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8223B07A8A6675DA45335A5CFC9EF1,SHA256=5C68130B085DBA29AFD463E1BC33DAD80979537EA58BB609D95DE13F3C73E236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:26.447{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10884A6DE177699A41DC97F9DB532E5D,SHA256=BABF3CC0B64F752E4D74CC348F2740ECFBAC32387B2C142DF5B1FF044581DD56,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:22.588{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-22012-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:27.815{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58A482686343A0EAB80F289094BC5EC,SHA256=C33928E5559EFEB6551D68238B3913D26447C1BFDCD9CA100C79F30EA519BEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:27.462{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBD5317E66AA56F023B9BC1B2552C3A,SHA256=665B4215D6D069CCE4BF200766EDAE3E9B164C5046ACDB404366D1E68BB354A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:23.787{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-27846-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:28.987{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD6D2A8E79CA0A1CF6C66AFD87390A65,SHA256=46D0E76F70285CEF306DEC3B0FCB2AE65BDA07CE7BC8F8CD4ED2ADC70CCC4086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:28.476{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4911509B114E344633FA54ACA7E9B5D,SHA256=C801CAC6070FD6FBD176BF72CE3276CB2F57F8ABB997929CB91D64065F46D946,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:25.093{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-34707-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:28.128{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=442C6DF0A02E3C7026ED043707928AE1,SHA256=1AE9E0AF8B677C3E45E6E75D4688649C3820CE1A9673A379820778A6F8C7AD53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:29.987{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035F53CC1749477F980861BA0C7BA8BD,SHA256=71A0612752E36DC2096A711AE4450A1407CDE7DCA47238B5326D6B8DDF8CF4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:29.491{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CF8CF0FF63984447258425E6F9183B,SHA256=02FEF2B469A6043F5B36FDE2F7E634388D85E4BE27395ED5121908410BD327DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:29.206{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=869834068B5C9B0DC2047363005D9F53,SHA256=6CB7D5FFAD5633DDF158B4180194E164FCC8D772011E9114F944A03FDEDDB882,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:25.448{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61579-false10.0.1.12-8000- 11241100x80000000000000001382424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:29.460{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txt2021-09-27 08:10:19.295 23542300x80000000000000001382423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:29.460{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txtMD5=CA9A52CE58CD1D0480F0FC69B2A27D38,SHA256=43AA66F477F92DAEFF78EFDAD1C0A443B0BA889B5CDADEFB3B4438FD57E2DF38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:30.506{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DD86EC93DE92862CDA0D6141C77AD0,SHA256=884A1BEFD9B4DE863210D29350BCFD8791DE718517D5A9713173CA6365AA9816,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:26.499{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-41943-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:30.331{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAED89A7B8E3E5CE91D41C74DB9B85B3,SHA256=6A832754DC33F1CC5B9C5024ECFD3560B2AAE16A7EFFE649D9111E99D35FCB6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:29.069{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51319-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:31.521{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C360A341B755F78E293CB902B7A7149,SHA256=316FEE16A56DC0D7A9062881344D94BB1C9BECA23DE9DCBDA24EE0EF625250B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:31.643{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA21EF46DD9F3D4F044167DF71B2D840,SHA256=F8214D3488319E810774FCD2523AC02944B5FA8E9D6F1110FB9845C4F382F1B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:27.592{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-47757-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:31.003{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88762F88A5A9835CDD0582BD359ED2B7,SHA256=C3F2000754BDDA64E533C9609B8F2D0F9B80AC2B164685CDC62816CB9DEA567A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:32.542{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01BE6D8B41DDED12077E59C975F2844C,SHA256=9C1907F3CD624A6BF2F72959EE9A386DBA8194DE087605676674D87140DAE867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:32.846{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5643FE2CEBE545DB418C0B4919D68CFC,SHA256=F336C60330AC953E15C69A784B41728477311353E70597C36770E7A8ED58273D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:28.758{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53607-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:32.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63353C67C1B4B41DAD6058507A65929,SHA256=62CA596BADCC834553313859C54777E2A4C4B71AE3C72269F9B471B56B672C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:33.556{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2801653BFC904D284BCFD93347A5292,SHA256=69F7518CC91D7BD4AFE4AE3BB4A4456EC53E0182D6E0F2FB08885F25B8B98010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:33.924{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDF8A8C2CCAEF9D76AD45AEC0D0BE4D1,SHA256=50F1B924E33B7CB8543411ED9F2DF5E1D63C0C9ADAB2F2DE877308F34756DC0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:30.026{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-59875-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:33.253{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3320DF6DB1C27031739B6028007F6A2F,SHA256=0569DBF5262805D3498CB58531AD530A1586542991FCD7CCAE5C25DF8471AB1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:34.571{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C6D3F614D7A9D3D5EDFFE35B1881F3,SHA256=D106E10924AE35CB90BCFC17275EDCE4859F412D62050E8F94174EF740001328,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:30.588{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61580-false10.0.1.12-8000- 23542300x80000000000000001288472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:34.268{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3515A08B20FF1D1A9F7689D4112A3CDF,SHA256=C07A858DF50CD709746670403B2127D409FEC0E727B3D0CAA50FFF9D4AFD1B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:35.572{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6291A605C478F567AB5E13E7E4C13B42,SHA256=9BCC378C207AADB1A45E7C2A4E45C3A942DFA6A4BAEB8673B219428744C7D8CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:32.308{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12925-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:31.219{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-7266-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:35.284{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8CFFAA339A31119AF0F09B7B162114,SHA256=F86D4082E952FCABE63913A751221DB81F2CED0B94A09D3CA3CCC03660E602E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:34.180{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51320-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:35.049{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=020F640634DB972A04CD61AB85312143,SHA256=75CAAD7191CB34D996B9E80543887E18FA5569B53D7CAD2437370C13AF015845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:36.617{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54243A16E5A32CBED7953F1FA7130521,SHA256=B9767898CA9CACA7335CDBE31691EE8C608990C001137340070F8CF1BC13A09F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:33.423{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-18705-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:36.378{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5839B97D51DEB27810D7BCB2C823355C,SHA256=9FE288A580E14AAF8B7683A3D00EF94171B9FE497C720062F0A55B22F3CF21B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:36.128{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EFEFF3828C1DEC44BBAA8D210836D65,SHA256=03056A590CB8A4B81599301C26F8E57AC78E68404045B438D3764D11338C60B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:34.538{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-24436-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:37.471{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E536D6188A679EF6AB0F75DBC110DC,SHA256=B9743B587010F0B4F9FF0FA48E94BAB3F0035BB86B547A8B09285C199F117507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:37.619{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402D4B8735E16E358DF6EEF9373938AB,SHA256=B1E0E2E1A975DC677ABCE4F9A233E97B1E46B1CBC1B80697188A082E72CF7522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:37.253{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AFC8D044925AF6EFFBBD07E6903C87C,SHA256=01A0918398E120EFF0173E3D769B5B9F427F93799C2199133AC47B2C9A34C40A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:35.625{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-30122-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:38.677{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D7090C215EB1E319D711CD135A1D1C,SHA256=EAB9699D4B1800558D0B2545F2468C4FFCDF5C6174576A24167FB76D8E22F77C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:38.619{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E014677A6871C4ECB76396CE83AC760E,SHA256=F43F2858633D060E7C42A205B1ADB5EABB504E3CEC667C659AEA79703A9C32DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:38.334{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0FF3BE40EDFE327EB8EABC4CDFF32D9,SHA256=604078B0F3641FD8A4E63B43731F02FC1549B5219437F5A59C493FD8AEE9D9C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:36.709{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-35974-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:36.357{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61581-false10.0.1.12-8000- 23542300x80000000000000001288488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:39.677{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=652472C49ACF76C85193FD535DFD8C8F,SHA256=6C42A72432C8E60E7C79BE7E082381173465E71A419EDBA565EBE2E2918B085A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:39.655{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD83C0913E4FF7EEEA228C15CF40A02,SHA256=98EFFC41F67907E95D4D47FE9B21EC4F75F235CF2A0879BB6130C6D9D09F9CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:39.584{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2218BA22D8EFB3A2D80EB2E12D721F80,SHA256=9D16362B442B446E4F535F5935CF0A87662F4BC3E0D7C145EDED6F2DA58F2622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:40.709{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BDAF90C62CAF0E7801AE1A4547AB466,SHA256=BE379E91FFE53B5E33E68E4702839EAA87DF83326434BBB406A83B9CE3E14673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:40.693{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13CA0194B7F9F1833CA44AF2DF636BF,SHA256=FDE23091C329145CA230E371B0368A4759946C4471F3B02C05F0092605AD1459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:40.670{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B7D763F33D7DC89DD4E4D55DAEFB51,SHA256=90F666223BAC560354D240B9B1D602FC1479C47DFCDCC74766015A8F43B7A208,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:40.079{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51321-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001288495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:37.943{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-42044-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:41.787{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9496574D1E506205A33BA909DB51D48,SHA256=E164025688869DB71BCEB74AE1805DD6F9EE60D92F77C9D2B7789A7D1ED4C244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:41.709{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA44A4E18520F254C6D1F9116141B8C,SHA256=CFD1FE226564210A586D67AF27388C6DA6EF2F4D87F8C806A0472B7C9802CE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:41.685{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:41.685{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02554457391CEDFF30393D7124F20D52,SHA256=42E865AF2C33CA963D92AB1360195934495008498B96D39AC5980364B8F77129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:41.685{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=3344412C446955F83005FE9152301580,SHA256=53C287D13DC0BFD1B0D5B4D9C4BA8AC76EA7E4AE75E8783FB3FE619ABB6AF4C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:42.927{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC91D04F18F6732F40E833914AF98CB,SHA256=0D75A9B441867EF67D8B4388CD2949A92463A703AE4FF9AC5882487D68977D6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:39.082{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-47261-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:42.716{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5988C04059470A6CAACE53A0606BF34,SHA256=057752CC5A0F9C4D063FB04F83832C70925360163C20A4B51E60E065C088FFB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:42.881{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD034D4E0B92B55E5CA2ABF1FDAF2F6C,SHA256=2FF5129F1D53DD652F562D58541D7B7CCDC6F0C6A40AEFA8832BDA92B40F5CC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:43.959{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD477D740847E13D866669BB4AEADDA,SHA256=BD2FB03C0245AF939E7D01328C537FF995529130760F36A93AA94363C3FC7FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:43.734{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE5F6A0A300368C5042F2EC7B9CE2F1,SHA256=7FD0768D32C74AA81642ABACBE923FF455F72287D70837BEEBE18FA89FDC982E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:40.161{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-52939-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001382447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:42.993{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51322-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001382446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:42.993{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51322-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001382445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:43.016{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5D50FD02DBC4CB20E165EF934C251C3,SHA256=D8AD70218DC4F9B0A1769B4061EBFF29952737A4F36A9C56730ABDD0E9FC4A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:43.016{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E083448790CF9B008461FB967A21D35,SHA256=99D26DFDD7A390F305D566E28A0147EBD7A43260AC8AB125E39251FB496DF939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:44.990{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D365937EE30944BE4E4949691E65A7,SHA256=2AA40D0664383C622AE48AF66A3CC00CCFE6CA339F0EB338AF7823959D8970C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:41.357{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61582-false10.0.1.12-8000- 354300x80000000000000001288503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:41.279{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-58695-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:44.752{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7631A9BC75570E3A0F9835252D82005F,SHA256=E24BB94FA077C094741C8D709F3B0F5D0F69829EBC38AC4EF4AC684068F0C551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:44.240{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=24D0EE467A3A45E743DEDEBA8794A6FA,SHA256=8906BD324ACBD702E94E0B75453AFD6BFCE006FFBA8E5C7389BB14A6DA9D8BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:44.021{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68F198DE22BE15384D61AD670599C0BD,SHA256=BFA02BD3A5C6BCE426797304F5624AC1553A9AA6B0619A04313F670BED2EE008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:45.814{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E197A32707901CBFA0581E767D7B06,SHA256=586B5D22CC2F8DEEC7D14D83C2299278D0AE34BB43CD46061F6BCD0BD4CCFA2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:45.099{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BABCDBDF0464D9339DBBC551D3D029A,SHA256=749C85588686D890B7595A94DBC99D6C65EE2D78E1A555F6FA6F74C248E8D1AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:46.851{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8534FC08A09B133EAC8DDAFD6280D2C7,SHA256=9782288355E2C869D227CEFF36524DBF8C7E7F571A718C287045A8CECF853F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:46.974{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:42.394{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5509-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:46.349{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3F1DC202AE8A86011AA87D428C586EA,SHA256=CFBBAE261F25162DBC799ACE1B45B415E11A47579B208F74BBEBFE9BC4F8AD9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:46.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFC11C26074605C028B3E8CEA95A5A6,SHA256=1BEADD1B50E8BD139B982F4F4A26FB4C2F060A985CA3FF4CF5F67875EFDC4E30,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:45.191{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51323-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:47.866{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E6479A88D93456D7244BC515914858,SHA256=62638FE9F59FB5CF6E8065A5F6F5ED5FE01CFEC795E10F704F17FA21193594DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:47.513{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:47.521{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=380B0409068D953A0CA1A52AEACEC3F7,SHA256=BFB46AF5D6B4D40680ED970246736AF92B26E931C4299B013F0E51EEAAA42465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:47.021{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50ACA56786A7AE7CCABB87225E35E8A,SHA256=0D583FBD1FC7372706EC34B7EA1F6BB0AF140BD5BD86925FC532E3E559672B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:48.897{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE06CA10B90A51E8443463CAC074B6B4,SHA256=CDA40D6F6AC9B6A94CF9F005AF417CD5B2C682B8F9FC749035C3322A709FF93E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:48.615{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=409F24DA58DE414F7F783B88791ADF03,SHA256=C02B808768313BFEF3F721E251BAAF0186CB19A50997AC60CD09A5B8A3C7D2AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:44.735{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-17493-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:44.596{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com56539-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:43.567{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11282-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:48.037{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9079B19EAAFE4FD578430EE2ADF8F5B1,SHA256=50D1BFC5C43093B51C08D51FF72267954A951544172FB45E374AABB2A6738383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:49.930{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4CE94E5D395108F1323A3EFB0B76010,SHA256=E917D836A4ED31FDB81B25876435F6E4E4ED4715F07E516755346D2D4614F84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:49.693{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=242AC52DC3846454E74582E4DB182AB3,SHA256=46FED8750DD0A51424F8F5441A62D244682BCCC40FECD8D0F37C97030C214617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:49.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE97FE7AAB45F5ED444A7E8950D3FEFC,SHA256=CFF371C05A53334EEFF35183EBF66162221A1E000F6ED7D0867DB2C1FD04B38E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:48.490{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51324-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001288518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:45.326{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61583-false10.0.1.12-8089- 23542300x80000000000000001382458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:50.980{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B287D775E10FADD61AE416D7D458622E,SHA256=7A9C0E64142E0A0696FDBA531BAB3BBA0D64D3E56FD893E998BF2B4C4641247B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:50.787{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94843D97C1213143658AB2748E22496D,SHA256=FFE9681B146C711FECFA7D5DF8A319109C764C414D743F08C7A08E4ED0A3B554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:50.365{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5286825C608CCEC668C220E4F9A08E6,SHA256=5E09CB120F06E53E17C894EED26974DC86FABA8D3CD7EE308168330AD38B7CE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:45.895{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-23561-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:51.994{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2DC77B5637991988B346C5EC8B0226,SHA256=D526F23A123F7DE49F75E678B41D7F8ADA49FF11A115459BEA1038ADF14E9DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:51.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8A4D84A2CDF9D78E93C2C519ACCA0EC,SHA256=C3605D91EF2FC5ECB229C0B4D0CB90FCFC62C17788901BC4E162D29804C24DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:51.884{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5710MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:51.365{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907921632D54E1A194F021F816CB510D,SHA256=DEC1C8B501BF61E4AA1582C0D0B6A3C84EEC8F44FC6EA38FE5D40E2836F483C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:48.069{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-34735-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:46.988{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-29286-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:46.373{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61584-false10.0.1.12-8000- 23542300x80000000000000001288532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:52.898{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5711MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:52.584{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7DEF8487D7452B77BD53355EB81D401,SHA256=C2AA8854AE94E8E2F0F4513EB3037C2885F37B84FE99548C0FD18124FF374739,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:51.172{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51325-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001288530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:49.160{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-40344-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:53.819{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F10B5A32936225B09757119CA967F4,SHA256=9008F88E8BF01D29F7C4ECA040A2D2AB6BAD39A9A448B650A1D886324CEB56E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:53.009{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7852573D1652B035069B75E5C1E910A2,SHA256=5DF5DBF9F0EF6573AFB77D1623A192BFCD459E73536A52959999EF784FBBEFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:53.316{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4023DE59106C649B00EFD90F2A517FDD,SHA256=D2A0A25B2BB43DEC6AD1482BFAC4C371E9134A5E0C75129869C22A645CE7DACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:54.835{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99606CE051DF761C718C4A33B87DECD7,SHA256=F6E67E049C85CFC5B4CAF9963641CE167ED2DAD3D7EF04EC2A897D5FE414A54E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:54.397{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEB1CDC945DE3480152E150D04AFF3D0,SHA256=22455CB9ADDFF258F460E4F443709C98CF00879C660849C34600317884C864E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:50.343{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-46028-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:54.896{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1393MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:54.026{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A6629A5251F4996F4225EF72661043,SHA256=39A9E6B70F43EB9EB19E0ACC8A82C2234990C70ADB6034358C45E645B965CD52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:55.835{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF28C8F900212AF83D5799B3A3C2932B,SHA256=5369F35DE9C4E2F644D51BC037E6D35B748782DD028492D6F249A95E9E2ADAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:55.908{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1394MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:55.076{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802EE6B0663D5D3D91015A75B9570BCC,SHA256=DC04091E44DEFC4B075BD8765F1E01E89D742E52C2AC83BE1E560F6D97EB49BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:55.491{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A8664E1A42D6D2A7777CA64A5F4AFD6,SHA256=CA51710EDB83ADE46954D4B2F406F931A72267EC5CF84457DD6D944BCCB93391,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:51.689{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53043-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:56.850{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E387225E9E7908FAEAEEDAFECFD9CB2E,SHA256=14170F375D11AB926EC256682200FC6F0F2790582BDCA3C74F49F3F49F41E39A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:56.144{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=626724E3A6F2849E778106D05FFA34DB,SHA256=3B0F156FA653AAF1739B0999E190A22FFE7AC1569F53E103D9E9A6BB776CDF3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:56.616{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79143FB52B3C19B2414FC8D55CEC73F0,SHA256=8E3A46BFA05B037FF3F8B9E733C7055C38539328EF20D0EF6AB22521A9E5F2D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:52.769{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-58949-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:52.390{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61585-false10.0.1.12-8000- 23542300x80000000000000001288548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:57.854{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD3109CCF38D0E5F3B538D47228D057,SHA256=977E594702FACB5F35FB6FC90C2A91F8E8ABD872896F82604E6B7525FB3CAD3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:57.174{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7D287E915212B3D7CDF8E9CF49CD7B,SHA256=3C9B1ED9E52894650606118ACF5B3E49464A651C9E42888CC2D0AFC0962723E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:57.698{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B354612BFD4B47001C61C64299066E41,SHA256=D7FF2B29301A3C696111323F85EBD3094D04429311D3CEF8A61542A7C701BEB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:54.248{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-59126-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:53.877{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5862-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:58.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986178CD72CE864CEFA2D1925137E788,SHA256=821EA4283F01372872B875FA9EFC22310AD7B3F4EE46552BD8D9A69FB6C6CEBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:57.117{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51326-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001382469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:58.289{5EBD8912-8CBD-6151-0B00-00000000FD01}640368C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001382468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:58.205{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4317B62465F2EE34B733801DF633D3BF,SHA256=A979D699C450B73072C1C3BCBD320AEF00C9739DC2BC0CFE03E05DFF43A54403,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:55.454{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-7955-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:54.988{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11643-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:54.287{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-59374-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:59.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92A1A77DE67102E2C37662EA3884E1A,SHA256=5D9EFD8B030F21A5DB82622A2F173C1AC2CCB3AAE9A196CCA9ACFCDB23424AD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:59.283{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51327-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001382477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:59.283{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51327-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 10341000x80000000000000001382476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:59.741{5EBD8912-8CC0-6151-1600-00000000FD01}12962680C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:59.741{5EBD8912-8CC0-6151-1600-00000000FD01}12962680C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001382474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:59.541{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:59.324{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=090F2672D0F2BFE74336A371C3A086E3,SHA256=55CCDC793441A778081B06EC81315152DF43BFBAA02A6024963EA63F36CAE0D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:59.323{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5D50FD02DBC4CB20E165EF934C251C3,SHA256=D8AD70218DC4F9B0A1769B4061EBFF29952737A4F36A9C56730ABDD0E9FC4A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:09:59.257{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8463A922AC8E887FE9BF2C9C3B10A321,SHA256=986E6F21859C12C2F87E2F74CCDB0658BA9DB0F0914011C1339F2B451E7CEFE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:59.339{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28A5F0DB1A937457AB443A321D89CAA5,SHA256=7BAE59DECF91BC0DA6BB3636286039EAEB4ECA3973D83B1F9FA41AC533672C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:00.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEBCC00DA42EBCDC1302AC2A64FD975C,SHA256=FC10039521E4857ED9348F01BA92A51325CC3498359646FBE16A1D6C93FEA051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:00.272{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D95F5E68F014154CFEFD0BF9E4C4EC2,SHA256=0469C07AEDBF249C63C3F79B05AC8728F4D554B71DAB5A042CC2C4748352058F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:57.724{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-23675-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:57.440{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61586-false10.0.1.12-8000- 354300x80000000000000001288556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:56.591{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-15662-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:00.588{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF0C2DCD8847B42BB96E8A5504A8734F,SHA256=1A4E64203C24FD3607CB8305A495D282496C6840DBD8CEF72C67B6E48137801F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:01.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB5B2DE4970264B130CA3EAC0FABC1B,SHA256=1275374827DBE323AAD78E418C51AE173C3DC8AEFFEF7C7A5D310EE53B254131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.948{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=C143402B1C4118ED7B00874BB55D3156,SHA256=681A0704C2C3DBDFB684A05706A01805E4A396ACFDA7D8D591E54237E4DEE64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.932{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=489DDF1C6CFFF3875F1BECD21EE3A913,SHA256=10226DBCFA9F6058B8A2FF0536E4A23EAF40F4CC71CC6168647D97C1D538D4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.932{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.932{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.932{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=103C12E0F6367D4DD6B83CDBEBA2DB6F,SHA256=3C7A95E23897C26E1001E8E5873F6E3083C6592379B802251C55FFF8CC01A0AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.932{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=67A5CCC8B83723618E722CC28675B8CC,SHA256=A340E949BE6C46AF265F137A3ADDB6C1520123077E75A5E8DB7295E036DA2CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.932{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=A99513F5FC53FEBAB2BE6731F9505D18,SHA256=694F58850639D01BB4EE760D2BC5E81258A71761AA6540273FB0DE94D1220098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.848{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=428B9500D53D2CBC75ADBF408A0A2C28,SHA256=417D4B4CA9DBA3F1A287BFE247BA81A39CB0ADA45D635CF50427504428B2DFA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.848{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=047EAAE78CC3A4F4176CD5424C6E491C,SHA256=F81B7253B91620D2B34B9FD33E6A7CD4FC3289D0F10A097D24E819161A6C3AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.848{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=80ED13718D67F83E95DE5A1903458B2A,SHA256=98D767A1E9F7C32A7321DE028813506F4C4C305FD8C1BD366DEBDFC3CB59E249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.848{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.848{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=5ACD66DB29AFABE23566110E44DBD5E7,SHA256=AD73B565DED09760945E8AC426CD4D16C8DEB3C202E8ABAD356EABF62137D2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.848{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=B87CA8ADAC18B0F2FFB456E7497C09B1,SHA256=7654AFCCBEBFA8A3025652ED30F37E7F3484BE67A5C23B276BB8D83011C15BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.832{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=4D56BC1E46AF0EC5531BD7101BC31F14,SHA256=6786B1FA28C6FA145CAADB510E14A24A9AD3CFA943B36F358C9AA36916FD5D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.832{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.831{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.828{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.827{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.826{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.825{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=BF6C363FCFE18836F5B693AC897B03D0,SHA256=3436668289A12D65E3C22BC60B8E2EA8D2D6CF15DF1402FCB3C16DD875D438E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D5F2E2EC2D972EA4E3BD5E52478574EC,SHA256=5A9F549160D35C4F4CCD6CC4EF4B63FF1A8859F8374AEA866A10F61DC2559E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.810{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.794{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=914534BA8A40B6B03D6D9B771F2B19BD,SHA256=35A2915F1843458284C8FC7CA759EA2429663896ED02845849FA9A318F53EC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.794{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=AE7986A0220B25D6A8A8D964DFAB18A9,SHA256=204DECEAD5EF0D73D35420F74EF89BB5E7080007726E198A26D8553BA5B257D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.794{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.794{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.794{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=4E114A12FE1D8664A2957286D9C690B5,SHA256=6A1E487E1A25DA4010DCE4BC9DD610DEF85DA683FAC9D704DD2A50664E5A60BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.794{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=775AAB007F2E4FF49FC45DB938962B25,SHA256=D3DA5191342AAD67DAE5D80DF6ADE9D325A8A9D1131BADFC19152B6468A62E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.779{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=4D56BC1E46AF0EC5531BD7101BC31F14,SHA256=6786B1FA28C6FA145CAADB510E14A24A9AD3CFA943B36F358C9AA36916FD5D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.763{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.660{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=67A5CCC8B83723618E722CC28675B8CC,SHA256=A340E949BE6C46AF265F137A3ADDB6C1520123077E75A5E8DB7295E036DA2CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.660{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.660{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=80ED13718D67F83E95DE5A1903458B2A,SHA256=98D767A1E9F7C32A7321DE028813506F4C4C305FD8C1BD366DEBDFC3CB59E249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.644{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.629{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=428B9500D53D2CBC75ADBF408A0A2C28,SHA256=417D4B4CA9DBA3F1A287BFE247BA81A39CB0ADA45D635CF50427504428B2DFA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.566{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.287{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40114F6817A36912D4179245BA5670E7,SHA256=03BDE316B0229B07524014D30F3A8B01C4BA832F3A02E762183D205842BE77A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:01.714{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=813D2CC4C9DDC4E26A41EA1781468C8C,SHA256=68AC46F1BBBE7B0FA99FC478B9447F417C16C92AED85F44FE4712E0C87D4C41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:02.901{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FFBB33B3725E8F6AFADC858A6FF1C2,SHA256=05FB95A1345188BB94160C536215C25868ECF01E6F308512D093AC825FEDBF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:02.479{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:02.378{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA0BFB9847B63D57B328AD99E1B6BCFE,SHA256=E3E17714EB93A444E667916A3D7FDBA04B38755D0DFB718DACF15C8343E2FE63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:09:58.975{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-32217-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:02.792{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09B8FDE1C01B1D05B14CB6480C507854,SHA256=0FF801525C5D991E4BE8A6608E9E77E70237ABECE56887FC48D550559D0247D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.344{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local51328-false142.250.186.138fra24s07-in-f10.1e100.net443https 354300x80000000000000001382535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:01.342{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52538- 23542300x80000000000000001288565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:03.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31177740DB834575224DDA55B5FD8221,SHA256=B16A31E4230F3640D3E9EBA617F5A704CCE704C53CA49B6EE850819A9A82061F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001382549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001382548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x051dd1b8) 13241300x80000000000000001382547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b440-0x3d3d5cd0) 13241300x80000000000000001382546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b448-0x9f01c4d0) 13241300x80000000000000001382545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b451-0x00c62cd0) 13241300x80000000000000001382544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001382543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x051dd1b8) 13241300x80000000000000001382542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b440-0x3d3d5cd0) 13241300x80000000000000001382541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b448-0x9f01c4d0) 13241300x80000000000000001382540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:03.594{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b451-0x00c62cd0) 23542300x80000000000000001382539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:03.393{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206C31B6CFF3909C31FFDE30F2754331,SHA256=F2F12B0DA6744B1F434E43465F43271DBF939EB8892F7D006B6133805C3C38B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:04.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=408B010B10E4FB5E8F9C800E437A41E8,SHA256=C463F7D6A34E8BD9FBB6B04C96F9DEF6F4D3478884C4D7B7777A6681749AC03E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:04.409{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBC333C11FA62586BDA08BF32FCA12A,SHA256=7DC58AD6E8CED7A3220772B75CBCE78C1B2798050341EDE1AD3CDC80CA1B64C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:04.104{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC2C8EBC36D1C482DC9F69A5EF61BD28,SHA256=B5919A2C3E222346BE4EB8449A22CE149FEAF84CF8DE7BA5417C74ADB888EF02,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:00.086{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-40388-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001382550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:02.774{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55341- 23542300x80000000000000001288571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:05.932{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61851B1EA84C887A2F5C4D5FCAD8E026,SHA256=E5DC7312C222EB0340E64C990F940144D1DE37EFC70FC56522D36A20DACAC465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:05.426{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82960E975A09CD55629E308C4C14025,SHA256=34F277AB98373B949D3A8422B20EBD0561EB95837C0C9E52491103AC0FD9EA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:05.182{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDAE6D46347D5F8DF3925905A916D364,SHA256=C7F4E8ECB4F55D0821D97D939A04BFD3FC3F2647237E83E9F5C9C05B0CFB072F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:01.196{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-47922-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001382552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:03.102{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51329-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:06.948{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8CDBE672817ACB94B3FA70D261963B,SHA256=4B801350EF57CB7FB39808DA4D46178AEA04118ED86FF390332BAE87991A95F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:06.445{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD2C0424AD46FA092492990B32E23CD,SHA256=0FFBA316752C385B956276C937A79F6F394AB205BB6A9B192B63059FA5D6D01C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:06.823{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5969FE37439EA313ACC316C980CF6BC,SHA256=86E403CD2F8C47D433D6A433E3D74FC56BC98C7F85D0E832CE63807D83F16E40,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:02.502{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61587-false10.0.1.12-8000- 354300x80000000000000001288572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:02.476{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-56990-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:07.963{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5A91B7303C4ED30B9FBA47FFB3E441,SHA256=B6B0449EC3A441726B3EC3AA932D9D176627B1E84BF1E021ED322FBEE52F9706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:07.459{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70CF5CAE53E3C0F83A6A9A9F5994C499,SHA256=E9B93ABFDE25480E9AE10570A222C0EF3381CDEC1305966A6E277E50F0BAD3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:07.901{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40BF8F00FF596592C6B300186BED0388,SHA256=E79A079E134275996520961CAF4915C74C05A2069068C2CDE4FF31BF6270A66C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:08.963{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EDA9A48652F5C3F9DCC5771BC0C2E7,SHA256=FE565AC7914A90B9C35EC61FF4FBC0D33CC16165C3183D508E15F5F0EF3F4202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:08.474{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F07A97063D216349349892E0DAC6552,SHA256=AD54A2ED0248F3C9BEA4C38F958AAF0962B6A86B88C0FB0E0EF6A78499EA3CC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:03.999{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-8070-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:09.979{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2781A02654773CE8118A45CE39F82D50,SHA256=48170293D05E248BDCEC792BBCF9DC482F8CE5BFE6842E6403EB6B81CE350511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:09.488{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1524E86AAA7DF388EBA9A0EDF6827EB7,SHA256=7C09C5723CB4B890826E134208FD0E5794F73B2F1BFA61CA190165407C573893,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:06.302{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24125-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:05.194{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-16427-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:09.026{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC90DAA39DBAB0E2AE4C553FDF83F809,SHA256=B2935FA165B46A06ECE00B29583E9EAD642C203B9BAD2851BDD248B3EA4295F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:10.995{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC382E9C36E3DF8304393EF00FF3BBF5,SHA256=D52DA3932FD27F9890436C00E8A2E357449BB6D301F6141490473BC161199B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.762{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=19EB3AD36C9649DB77DBD1AA5DB8D704,SHA256=B25971CDDCF0161623CB8B56D9D66E99BC18A312839E6555CFA0BE77B698DD97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.694{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBF2-6152-3D28-00000000FD01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.694{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.694{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.694{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.694{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.694{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBF2-6152-3D28-00000000FD01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.694{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBF2-6152-3D28-00000000FD01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.695{5EBD8912-DBF2-6152-3D28-00000000FD01}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.525{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB1080B403B424980AE961CABAAF228,SHA256=83B5964F36FF2B6A695E64B72691FD84CA0B2A14537BAB3682B3E88816F26B05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:10.354{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:10.354{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:10.354{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001288586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:10.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3381E86BA7C8605853CFBEDFFEA00A79,SHA256=5ED6647780D800A416873A9EA69E0F8246C186C36539E637FBB4E778C20F6E53,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:06.801{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-50272-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:06.775{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-50006-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001382569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.437{5EBD8912-DBF2-6152-3C28-00000000FD01}50646444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001382568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:09.135{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51330-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001382567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.188{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBF2-6152-3C28-00000000FD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.188{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.188{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.188{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.188{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.188{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DBF2-6152-3C28-00000000FD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.188{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBF2-6152-3C28-00000000FD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.189{5EBD8912-DBF2-6152-3C28-00000000FD01}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.057{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B6499F3FCA307A325A3EDC18ECEC5C7,SHA256=B6647E13FD5DD0D98970A822484ADA3F817412E861E313CC6CF42CA30BD43183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:10.057{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=090F2672D0F2BFE74336A371C3A086E3,SHA256=55CCDC793441A778081B06EC81315152DF43BFBAA02A6024963EA63F36CAE0D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:11.546{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A6289AD9C5A301E9A0EE625FA7C4A0,SHA256=1A91214213AE226E23191E27E7DF93F6598E3D33E9783A1BB446D0B54DA40381,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.557{69CF5F33-DBF3-6152-33A1-00000000FD01}1848320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBF3-6152-33A1-00000000FD01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DBF3-6152-33A1-00000000FD01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.370{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBF3-6152-33A1-00000000FD01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.355{69CF5F33-DBF3-6152-33A1-00000000FD01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AC1F87C31B8534FADDC569278A52564,SHA256=9CBC7A6CA70BD5C0A5988EF7D8BB8929785B4BF76C17933B944E4B6A09F4CC3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:07.412{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-32215-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:11.194{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B6499F3FCA307A325A3EDC18ECEC5C7,SHA256=B6647E13FD5DD0D98970A822484ADA3F817412E861E313CC6CF42CA30BD43183,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.776{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBF4-6152-3E28-00000000FD01}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.776{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.776{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.776{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.776{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DBF4-6152-3E28-00000000FD01}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.776{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.776{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBF4-6152-3E28-00000000FD01}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.777{5EBD8912-DBF4-6152-3E28-00000000FD01}6456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:12.561{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E4F18619A69709D25E95677184C9B5,SHA256=1A177C332E5DA73A091B5B382C702C6911D97DF6A264664F4995E882296DAED3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBF4-6152-35A1-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DBF4-6152-35A1-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.745{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBF4-6152-35A1-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.730{69CF5F33-DBF4-6152-35A1-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.401{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91EC17971C5DB979FA049F3DA86E00AF,SHA256=6E696B9128D280960447A2B1D69C3D9108E5BBDB1E2F67D308E30DA75546B8C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.292{69CF5F33-DBF4-6152-34A1-00000000FD01}35721740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001288624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:08.981{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-6314-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:08.537{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-39722-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:08.471{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61588-false10.0.1.12-8000- 354300x80000000000000001288621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:07.884{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-57987-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001288620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBF4-6152-34A1-00000000FD01}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DBF4-6152-34A1-00000000FD01}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.057{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBF4-6152-34A1-00000000FD01}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.043{69CF5F33-DBF4-6152-34A1-00000000FD01}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.010{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40429E40B1BBEDE028A8373C84BE992,SHA256=A07494CCE8D9181BC14C3921A8954BF9BDAC8A154DDA1F5350505D004632FA84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.807{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67C4610137D140344ECB13B384F04638,SHA256=58FA3C815BF6A7EE316D03B9D5898AA47403CFF737636E838A139771E4D1F28D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.675{5EBD8912-DBF5-6152-3F28-00000000FD01}22722672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001382599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.575{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F416A14BD9193EF47698B248E4A81E10,SHA256=DE531A0D7A49DB421C0844B3ECDB6DDC6C2194FC7B09C35F7AFBB233FB43D4A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.604{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC5869C614528B7435F1A51EC2CA840A,SHA256=17FE037EDBE0BB4841D31EC584536838E2DF97DE131D5C18A2E53988BAA37597,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.604{69CF5F33-DBF5-6152-36A1-00000000FD01}2504172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBF5-6152-36A1-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DBF5-6152-36A1-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.432{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBF5-6152-36A1-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.417{69CF5F33-DBF5-6152-36A1-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001288641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:09.770{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-48152-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.229{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE40678DC95BC6F586E5EF98FBE3510,SHA256=6C4C274495153D5A00747DC03BC02AFB7E72FA73D6AF45F38CB89CDEEB57B5C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.460{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBF5-6152-3F28-00000000FD01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.460{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBF5-6152-3F28-00000000FD01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.460{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.460{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.460{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.460{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.460{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBF5-6152-3F28-00000000FD01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:13.461{5EBD8912-DBF5-6152-3F28-00000000FD01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.979{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE49ACC2667DBE5B6A0468CBA4078048,SHA256=79802BB98021D05C9D5C2F556A8F2310417E1314E897E3122F828F4B8D1DB14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.979{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6762AA87272035F766B4ADE3EB964D7E,SHA256=114D3D94B6F666E91F90EA46F9A1FAA5470D467CF38F2BAE1EEE6BED346FB410,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.901{69CF5F33-DBF6-6152-38A1-00000000FD01}962492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBF6-6152-38A1-00000000FD01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DBF6-6152-38A1-00000000FD01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.651{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBF6-6152-38A1-00000000FD01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.636{69CF5F33-DBF6-6152-38A1-00000000FD01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000001382603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:10:14.621{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b448-0xa5fd7dc1) 23542300x80000000000000001382602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:14.590{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F976427D8F14389CFB36440AACDD3F,SHA256=E5677A13D0A32DB329A77149A237E3739483E85D2D1DE02189B818C0AB1F6070,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:10.868{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-55531-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:10.305{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-15361-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001288669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBF6-6152-37A1-00000000FD01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DBF6-6152-37A1-00000000FD01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.120{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.104{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.104{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBF6-6152-37A1-00000000FD01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.105{69CF5F33-DBF6-6152-37A1-00000000FD01}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:15.605{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CF316E0901DBD1B83228A56C089AF6,SHA256=5C79EE11A144EE5FAB07341E85EB4699F6740A0C152C26680B688276D3C0EA32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:15.838{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57077CCA19F8994F22E3AED42CEA3EB9,SHA256=63F3B78B32DC4AA9D74CE9B01080F90490C878BA05E72597CF4F8C9559209130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:15.667{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57BC4D932F60D9D6FD0022869CF82C15,SHA256=15FFAB40A514A688D06F07BFC267CD3005F04649AE265786E698A71FEA34C773,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:12.484{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-30130-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.960{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4498-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:11.381{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-22919-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:16.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20493786683AFC1035A65D424FF4B934,SHA256=0B96BA1D1ECBF42CCF3FF4A52A159FA0FEEB6378F8411B0C5CAD9AAE7FB6F1F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:16.682{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03C5DCEE037CF8588A7E29967C62F44,SHA256=ED3E8E1F360B10E9C6C58D9916E709BFF56D71B3450207DFC93ECF3962EE5563,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.919{5EBD8912-DBF8-6152-4028-00000000FD01}61804528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.741{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBF8-6152-4028-00000000FD01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.741{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.741{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.741{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.741{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.741{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBF8-6152-4028-00000000FD01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.741{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBF8-6152-4028-00000000FD01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.736{5EBD8912-DBF8-6152-4028-00000000FD01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:16.638{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1DC2BC614901BED17B944D0E9BF96D,SHA256=C1930E6DE77E8E662E65F4BA0D8D752FEBA957A24213EE0D0A6CAA9812F25614,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:15.597{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x80000000000000001382605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:15.067{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51331-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001288693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.105{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-12758-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:17.921{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CDBBF7D0851CCFAA431E2DACC03BAD,SHA256=DCA485A71F3809C53432F79B0DDEC6F0C6AD5BCBA5E71A028334A2DB427AA2FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.739{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D96DDA18783CDE23ACAE7B3D3B403496,SHA256=13972B64D37FB640DD5A5D9920F9CEF6A731EEC063941CEB4132AB7AD294E6BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.658{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C7425CBA42D1DFB304F84D5A7A3F02,SHA256=CC37202AB4FBB23A165D3358B79DB983607E1DCB9BFB95B490AEBD92548BF614,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:14.211{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-20523-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.866{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-38941-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:13.502{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61589-false10.0.1.12-8000- 10341000x80000000000000001382625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.635{5EBD8912-DBF9-6152-4128-00000000FD01}71045796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.420{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBF9-6152-4128-00000000FD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.420{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.420{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.420{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.420{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.420{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBF9-6152-4128-00000000FD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.420{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBF9-6152-4128-00000000FD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:17.420{5EBD8912-DBF9-6152-4128-00000000FD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:18.937{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCDF2D46E71B0A0AC012CAD1048F497,SHA256=7FDD892F7EF763BBE9400A168AA03681DD44206E9C0326C3F06408B2DB2B5FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:18.688{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618246959FE227525B79199F16152027,SHA256=7707FB6C1173A03C841C40C284CDD1C062DE3B37F7D8BAC3E4788A892F5588BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:18.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB2A5BDF20FDADC1E7078DE2C71D6660,SHA256=E84C86FFBC39D4499EFDAFC96706A5111756F0333E9A63E7D56228B5165E8CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:19.719{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD0643A47F982BFC30098E5CF2ADCA8A,SHA256=03A554707826DAC05397B082A7097E90867A9DEFEDFBD2D19ECE7EA33F8650A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:15.291{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-27775-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:15.091{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-47536-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:19.093{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC81C812912D2CDD092ED7CAF9CD6192,SHA256=03D634D124604B673EBF1AC8E57604A7C4D73599D44BC3EA44DA339A83C1DED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.738{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67681A22EEA764D5D3FB40C82A2276C7,SHA256=7B38A5C86A56D9867A996CA5E7177DBE0AC32A391EC8177F9052CBBB2E5F910A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:16.387{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-35128-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:16.231{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-55634-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:20.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0ADF5D5458692ED0F74D14B7214CBAC,SHA256=2E1CB1FDE4FC71C860204F59123F00C78F5CF2F5A74D3F0A5AD18A9919C1DBAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:20.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680DD94A4CF7993AA6868229DDF3C48A,SHA256=177180E1BA0AD0058F969738AA0538D602A7EA15473066DF6B7A2E537A4F4F4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.156{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DBFC-6152-4228-00000000FD01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.156{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.156{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.156{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.156{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.156{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DBFC-6152-4228-00000000FD01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.156{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DBFC-6152-4228-00000000FD01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.157{5EBD8912-DBFC-6152-4228-00000000FD01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:21.754{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91121900BE5EFA01F3A7541DB6F20D5A,SHA256=C7B38A571607C966ECB0806527FE810C9774DF43B991EC38EAAA718FDB9D808A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:21.312{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F67DA290361ABE742676006C6540105,SHA256=0DA390CFA8098A834FF8FFF25603160E68BEC23C1F6B80E7C42822E99582FC9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:17.421{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-4615-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:21.046{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEB0BF9880483A3A9358051EBD1DC22,SHA256=85561F2CA4FB2F10E338705175352B5A754C2ACDD83B5437BFA0264603A62B1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:20.227{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51332-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:21.217{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F21CEB4F2C8697A31B80DDBDEB86B719,SHA256=B29D0F24D0220AFD1DCB981126112FAB7E5FC97AA235814BC1F4926A963F6C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:22.815{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BE8FD6CDAF8A23F812C69C0CB954EF,SHA256=FBE23A2536C33E13C5F0DBC865F3A38EEC2B93880F1C7467A78950FB2161541D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DBFE-6152-39A1-00000000FD01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DBFE-6152-39A1-00000000FD01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.531{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DBFE-6152-39A1-00000000FD01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.516{69CF5F33-DBFE-6152-39A1-00000000FD01}2952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.437{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C37C08CDF4B2AB9B2A1DF858D5D4F7A5,SHA256=83D5FE4A63BAFF27023DA063BBA71FA5A5D6F52EADEE88C1026E5639F3E828C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:18.623{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-50247-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:18.589{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12522-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:17.466{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-42758-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBFA514A9666B4DE790097E8DE90F61,SHA256=CEA6C61BED49A8392A8B78B0125153AC741347D6A0698C72FFD7EFB926115396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:23.851{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8E52EA60E8A8D4C297ED60FB4FB077,SHA256=C4FE7C0FCCE8874DCA3BC1A2B715E62DAE44AF4C71219B8E4CF28C468A163961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:23.578{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C15FCE87C21F6843ADE5EB83B49C798A,SHA256=AB2E630F8DAA1716362C6D24E8046DD7ACF222CE43DD8C77F01742D20818AF39,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:19.686{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-20466-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:19.398{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61590-false10.0.1.12-8000- 23542300x80000000000000001288730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:23.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D897C221720023B6664240D2E52FCBA9,SHA256=7F620DE5899344CE0225B18BD7B2F39EFA094F3BEE72BAC28EF976B27FB25479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:24.866{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723CF674E1D698941BB34DE9D1E8EEAF,SHA256=4BB759820A7073AFDD2D14376D5B48DF1DEAB96CC0E70F1886C5959481A86B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:24.750{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F78DAF6FDDFACA56A966A48475F7C13,SHA256=69E5B0B1A8910BD63A953FB26595009CF2EA277A0964533EA62CEF41B1A57A04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:20.937{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6892-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:20.824{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27975-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:19.806{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-58057-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:24.125{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9C35A0A5B652D82380701147BAC537,SHA256=6D510F448224454C8B9AB2FFC87375855FB54B04868B1A0BE897014B6B4A5B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:25.880{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E913B3E9D7787AC0FB7671AF74B7045,SHA256=4C55281E60D2186AE7544E009707085151E16353190E23180310653FD364660D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:25.890{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B628FA6FCAC5F4405BA629C8E4045A72,SHA256=2832EFDD4BADC80B45461CBF2AC587514E4AD968A38D007C59668096484D0960,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:22.043{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-14134-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:21.952{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-35973-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:25.125{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B4AD51F2F5371B6803FCA755DA80B6,SHA256=A5EC513EA1111D3EF7532EF9BA870D918861853B9ACD0167D8975760200795A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:26.896{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D0AD8CB4504F02D7BF8972EFA7B450,SHA256=366E206B64D085A238306391315F84F53EC1D39298730488B749D4FC6CC6D0C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:23.136{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-22285-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:26.140{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C047D660E75569CCBBBFCA30508E37D0,SHA256=67EACBF1792C4B6A986775266FE21D5B0DB4588883C725770DAFB92B65C140DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:27.963{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52FFE6BD0DCBF1D9A2774814E14964ED,SHA256=2BDB4879BE0F5796D1BA97CEBD3F04D98A307D47112517302DD42B680AB8915A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:24.372{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-52253-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:24.284{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-29920-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:23.277{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-44535-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:27.140{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD107C213AF5A78F5F077927DFF97BF,SHA256=CA7BA0CE27ECEE1CD1496CDB88C23A6CD978D03B0C1F5FC4CAACCE18E9D8BB4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:26.158{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51333-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:27.062{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB53E19EF11F844334CD722E880EB58C,SHA256=6F9EBF74A1394EF342DE5E7CE7907B7B56E3CC9662EBB26E2DDD39055A63611C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:28.978{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A775B6367DE97B4575726B08A960D94F,SHA256=1154DD73A7910AA8421116F53519EDF9F8FE721DB07CEB6E7CE49E5FEB4F19C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:25.435{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-37403-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:25.398{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61591-false10.0.1.12-8000- 23542300x80000000000000001288751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:28.187{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA5A1B82CDBFA5A89884918728517698,SHA256=589DD9B68901AE557295413C7DAC9B63D11F9F973449752D934B8AF61364B0DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:28.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767136FD9600E69C8B891AA4A83132F2,SHA256=2ED88D174092D4ACE2069962EFA77408B39A9E009A639C861CB8C407D1E2613E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:29.994{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF94924EEE93BD668411C62192E8451,SHA256=084E9644BCE52E4FF069F46894FAF0CD0436531C29D506AD2D72AA4ED6F1A750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:29.281{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A8AEC4E94C61A3DDC8800764EC5E952,SHA256=F03B16B64719A5AFF4647FE860AF144ACA8790CA75F166A364E9799005A12A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:29.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A61AD7A68F96E8CAD43BB0E0F2B018,SHA256=84B2CB44F508EED71EB128A481DA9C4C4C11B9BD0C4C05583B44E98D8E64798B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:30.406{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=670DED9195B754B7AD899888A25D0E77,SHA256=2C74CE05B96258B258195BD299A114E02CB5513B6ABE45EEEBCA9830D32C069A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:30.171{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FAA169EAFD4BB063780D2818CF5677E,SHA256=93B3DB72E78FE977EACDC7E6B847EADD1339C3E9E72F29939330896473F4AE2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:30.263{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64231- 354300x80000000000000001382653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:30.263{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51095- 354300x80000000000000001382652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:30.260{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local57006-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001382651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:30.260{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61538-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 354300x80000000000000001288758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:26.592{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8726-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:26.562{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44961-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:25.481{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-1089-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:31.500{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=074D35718330599C33DC7A6393BD89AC,SHA256=3B20A3CED2E60339467201FE203A132C4C60767CE1B78F8415395454B9C9CEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:31.187{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E84A6D91D5C25D4EA0817B4B6A7902A,SHA256=B7BD0E4B5249693BD21B86A19EFAEAB60DA6D9E031BB79D1830B0AED386EE0F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:30.412{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local51334-false54.70.80.82ec2-54-70-80-82.us-west-2.compute.amazonaws.com443https 22542200x80000000000000001382657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:29.302{5EBD8912-CDB7-6152-8426-00000000FD01}4172pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001382656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:29.295{5EBD8912-CDB7-6152-8426-00000000FD01}4172pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com034.211.187.119;52.38.12.166;35.155.229.139;52.24.163.249;35.163.9.121;35.162.134.178;52.37.158.247;54.70.80.82;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001382655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:31.009{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57C9E9CD9619832570515C81EE4B436,SHA256=EF541293D22325215DB67F0EC4DADE906CE110D0E6F15DAAF0AD97A0AB9B7FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:32.624{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=516E0741501699B0E8FDE8301FB66C08,SHA256=D669A542EA40D78B39F2B7A39EA0F25A78DFEE7C44D6500B5A960EE3F610AC10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:32.203{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4171E1679219EF04F8404E3080C3037D,SHA256=B20003CB943C5D82949CC01267168BFC0800EDA035F93C6E51FCCB4351BFDAB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:32.120{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51335-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:32.028{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026A06640521D2415F1CD807A13688ED,SHA256=787297647A1E5226E1DC22211ACE4CE59472ED9BC1707A6CD58601E04077893D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:29.218{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26547-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:28.778{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-1327-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:27.727{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-16026-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:27.666{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-52386-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001382665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:32.859{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com40389-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:32.417{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local63217- 23542300x80000000000000001382663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:33.177{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2B52402AC86FC712E31D48E6DAD027A,SHA256=EED92D9AF1A6E43DAA0CBD601ACF6C0EA046268E21AD8D114E65761F19E7B7FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:33.177{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90D78331459FB043FAE4F15E003A244A,SHA256=591B1AA9AF21AD726F722DA13AF7C6EBFD6ECFD41F3ABDE10B8F24DC058889AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:33.061{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EEE401F1003964BF9959DE34143077,SHA256=F7D8EE45FA2A45554F7E293D0E6CDBA938782EFA30F15048DD0B94F1243DE564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:33.781{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C52093A6C2075F5D82A4E335F286C9C,SHA256=0DB80F51194A70315FC1413B3C757CFF2E7A4C79A2203B313AA8844DAF2D230F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:33.203{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0520FD7EA6EE8E1CCD3B2BD995D4F18,SHA256=F76BF9C89B8F02F268176308AE568596B1542425880D24AADC795192FBD48E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:34.076{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6EC42BE7FD8531D3CA46469F4FAA60,SHA256=C56FFE60037C522D1CC726E1DEBC8A91D1173DB0C47C7F6B9E6947DE2CFC81CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D74F8F67714E8EF593F5FFD613E764F,SHA256=837BD769262566DBA7D31E1D35D388FBA1D713CF35C9C02066E7F5971CCAE8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.218{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7CF2DE9B923FD3A789B7EF60404B0C,SHA256=FECF494BF714C439B75AE93D2D0B86FFC32144CF60036C594CF40F0A462D8D67,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:31.012{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-16755-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:30.554{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61592-false10.0.1.12-8000- 354300x80000000000000001288772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:30.356{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34254-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:29.886{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-8528-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.234{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799C92990752AAE2E90A4BFF6928758A,SHA256=39B29C0484A49A4FAC6D486FBCC25BDEDF9AA8A8545593C9A72D8B854576C5E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:35.092{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE58D89C117052D2AD3BA40834C6B032,SHA256=290F7295E67BE76D90F5DEF2148EA1D4BD8C061E53DD8C4EAED64029A9A4A172,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:32.779{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-50679-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:32.157{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24535-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:31.558{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-42850-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:36.250{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D897BF89BD2D09129F9D675003C7469,SHA256=D2A461E73A94C3E41721B6058C92C9DDE0E7883AD6BABAD875CDBACA88D68BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:36.107{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE2DCB7734A5ECFB0EC7227C5F998A8,SHA256=C4E04BA2C1526581976CC4FF5F1B8433C535CD59A48D7632CE23DBBB8446F9CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:36.187{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC466D446B8A18FA13602E94614DD946,SHA256=9ED794DBF327FD02699E528DE72F50A678FF89324D01A0FBAABE5321C0E24516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:37.125{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37286AC8E6FCC8A92ABB0C49E7DA83B,SHA256=0A1D6FD0CA1CE2034720A84E0BE02E4B91BF21DBDA6C556BAEB3029C7662529A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.166{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-58518-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:33.415{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-32629-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.265{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4359183A2C5A98CF3082FDEFCC708A,SHA256=CE837ACCEE986897D2BF625178026D20BD55CDAA1B106E45033F1228157188F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:38.118{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51336-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:38.143{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5B60989A7A8B51F63F971822D75D010,SHA256=4641CC1BC78FB57A798E6564821643C587095B62323E19075D0D0C762ABB1D44,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.371{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8859-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.273{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-45187-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.242{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-45059-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.214{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44967-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.191{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44854-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.170{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44572-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.133{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44322-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.097{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44170-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.076{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44033-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.052{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-43871-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.030{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-43726-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.007{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-43590-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.984{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-43308-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.955{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-43092-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.930{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-42929-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.891{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-42833-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.870{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-42694-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.848{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-42508-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.825{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-42182-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.786{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-41901-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.749{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-41722-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.727{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-41439-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.688{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-41253-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.666{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-41098-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.642{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-40770-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.604{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-40636-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.582{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-40485-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:34.559{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-40322-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.267{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC501BC53581ABE4DB7794FC6411B421,SHA256=6A7C284CDAAF6AFB4E0B203D3DE0C9E7EB0CE8F62AAD2458455A99DE61270F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.080{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F2305C756E51C12B52F19379574EFE6,SHA256=0C79CE9DF3C40610516BE0CC8AA60023C9F5D295D37994973CD6066578B6F9D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:39.439{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEC03B00087D4A52FF2F0EA71CDE44C,SHA256=2FAE78AB06F31BDF49E448145FC8A8BE009B93452A1464D0A68D8EEC7A600C1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:35.570{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61593-false10.0.1.12-8000- 23542300x80000000000000001382672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:39.158{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6261A390A63DF0C7F94D0CAB1576A93,SHA256=8819FE376CB45315B51B713007BB808A628307A3D20B48877517D9F516D31EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:39.236{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA6A3AE18BBB2672B977A1631FBAB8EF,SHA256=B2DBEBCC0E39190C17633E37DE1BD323CDBD9D4060572B841E7398AAF6F0B035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:40.439{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8307255B5AA87391DDCB8D1A111181,SHA256=082BB8689C92D96D2A0F8DC9FF0E2CD5B03DB8F6A4BE4E58705018414635EC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:40.189{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E223F195FC721C2B180C8CFD3C0DB81D,SHA256=CBC65DF012E599BF1032D31ED6044B6927E3D33B5BC624C31C6F01729552895F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.704{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25008-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.682{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24730-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.645{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24475-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.608{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24303-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:36.465{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-16325-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.743{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-32126-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.706{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-31724-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.672{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-31452-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.633{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-31234-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.578{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-31041-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.511{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-30842-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.488{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-30566-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.452{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-30377-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.430{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-30046-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.392{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-29895-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.369{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-29649-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.332{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-29369-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.295{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-29094-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.258{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28926-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.235{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28748-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.212{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28493-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.177{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28342-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.152{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28118-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.129{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27944-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.106{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27660-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.067{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27407-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.032{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27265-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.010{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27101-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.987{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26978-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.965{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26778-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.922{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26319-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.825{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25823-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.787{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25612-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.764{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25296-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:37.727{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25143-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:41.486{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC5E83C5E6BA6EEBD18242C329A214F,SHA256=AD8EB852A00F3EBE72DBDF35D421181AF7B25AC2C482DA37874987B14F55929A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:41.203{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2224099C345F6738C472B8FEF5D8D5D,SHA256=F46E3B5D2AAEFDEC45A124A89F1DDDB45BE0E193B9AA2B78C54BDC0954BE20D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:42.861{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36EC666FE02E930D766CB89E2B0E6B71,SHA256=5964F22DD7963B00AB17F85293D772ABCBB7576D06C5C569A8E06364B8FA5C3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:39.143{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-35497-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:39.119{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-35261-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:39.094{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34953-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:39.056{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34756-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:39.032{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34588-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:39.006{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34324-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.968{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34074-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.934{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-33939-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.910{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-33776-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.887{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-33514-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.849{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-33353-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.827{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-33057-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.790{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-32866-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:38.766{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-32662-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:42.221{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C425219C2D6531FF4C44C4633D0AB91,SHA256=996DC826D1935C2C01B96A69DA713BCB4AFD83EE7A2D1B36C4C07CE0B1802F4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:43.783{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C913298F1102E34836FFE0971DE46C53,SHA256=4E44183ECF18FDF27EDE2C547576417BEA365A4390050FACB802D7D53F83724C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:43.011{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51337-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001382679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:43.011{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51337-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001382678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:43.239{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D0C494186F44669EBD01A05A29DC07,SHA256=D2141CA50157650A6C964894516A1559DC1B36C42370FCA07182B8A5E5529951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:43.040{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD2DAB077AAD8AEF277986D9E322A5DC,SHA256=54675472E51C402F41B18FA72C2FCC10CABC2DE5A61B1653A434795F075D446E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:43.040{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2B52402AC86FC712E31D48E6DAD027A,SHA256=EED92D9AF1A6E43DAA0CBD601ACF6C0EA046268E21AD8D114E65761F19E7B7FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:41.572{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61594-false10.0.1.12-8000- 23542300x80000000000000001288873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:44.814{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CDE418E3ACA045F74CC3678F9E3FC9,SHA256=E88FD8BDA5D570329D8402411630B5D1CA13845C64CB198631737D70FF21BDDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:44.110{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51338-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:44.242{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AFD58D3AD3015ECF744264BDA6F9DFB,SHA256=521EE53C1E26498FC6D29824BD937222C6E85771D330E066318D1A8E5BD2A504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:44.251{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5BC4D51E332EB278AB664607447F7135,SHA256=5628475D7DA964E8F2DB8A753CDA77303994421C3A993CC2B7F98E2576C47DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:45.830{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F660D492C326CFFB009C2E4E570173C2,SHA256=365C85509C9C0042D8832F87EEAA589BA8A09D2B7696744267B4B4C41698D290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:45.256{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6DB88B23A1E114B538C43E2CEE8013,SHA256=59F508C54E3E6B5C99EBA59784B843CCE84FB175F7FCBEB6683895E24DC7BCFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:46.955{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622DEF4369766510D8DB1B8D0A96EA1D,SHA256=7E9CE60E52C70D6265CEBFDE11F586A3F4C8FB23D89E0F0C170F4A7509113983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:46.271{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFB3A3B342477CC879EF714B61C07D5,SHA256=D4BAD8C4B5C0E83C00065FB9D74E7BE1CA276A7BE6ABAC7EFF9CA61FC072D55A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:47.523{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:47.301{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F887CBB02DA1EC45595CC12DAE672D,SHA256=57D6C492EDA2E6A38402CB7944E08F4F3F3473B6034AF4DC653A4574E0B6E8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:47.001{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:48.319{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=534249906EDEC9CB2DDAAADE1AD7BA13,SHA256=EA5584CE0986FFE66F8895557D48279EF61D09E8897B63FB0A49471CCE70C7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:48.017{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C546B757DB27CDC3C0CC7EF881E93F,SHA256=07B171D19333F95A09A4B1315418D059B448DBCA1F1B35A654EB2CAA039E21C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:49.337{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CBEEEA785A75383AB569300E2C080F,SHA256=ACF54444CAC70C7E5143F5DC9E6674B02769FCB66AA49D5BA5772ADB6F176367,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:45.340{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61595-false10.0.1.12-8089- 23542300x80000000000000001288879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:49.048{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B13A0643EF8CCBE072C42755DD3733E,SHA256=CB154FBA574B310AC1ED153FC52720C5213FD8E8E24809D57BC5B5336E4CF68B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:48.509{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51339-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001382690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:50.352{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB8311B836EA69302D7E83AC0829DF9,SHA256=EE363E092AE61AA7E416559A182C480A5F6A8354D60831A453CF11820D50AB09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:50.173{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449CBA947B7AEB33C089CBDA1E850A36,SHA256=57A97D38CE1C01148B7B25B38C975C43872247E195489902F81533D198108FE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:47.572{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61596-false10.0.1.12-8000- 23542300x80000000000000001288882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:51.173{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3ED2F84A33BAA2C712D7F0BAF14F61,SHA256=CC65D470E2BF15CE4B2A152F40ED6A8DEB4C7B0B357047E8CF02E859DCC43F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:51.352{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153CC58C6FB8C1DA8A335EDA48F35637,SHA256=B45068529E58ACF1DB604C792AB6DF6CF13E779314567AA7FD25C089ED8D86E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:50.031{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51340-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:52.189{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC58F284E34DE060ADEF818A4D424BA4,SHA256=05D4A2468956125C314B673B1B66784B3FFC39C19E12ECC6AA99BC9A8C06BC7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:52.367{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A41A932B6B22106550E2BB08C6B3C4,SHA256=F3F763A36FD0974CE49E0F16E30A24AF507CE0596E959EBDADA15DDA1D756197,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:53.887{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261597-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001382694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:53.382{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320AC63D8BF1C40B2D589D386772E5A3,SHA256=1A30863CE29662A994B3B99F3237D6798014E7A691D68A76D51C5824F4B2A5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:53.863{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD159363F259E99A16980C1CC997DBD7,SHA256=A764B1915E529E2E382AA2331A03B5192BAFC466F3E5A734DAA51BA2A636E3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:53.863{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=575A74E2632120F158F0EEF0278E79BA,SHA256=B0E55AA5820D174D8DE0A390D2046370BA8030AB6E7C7667831B2DEFDBA716AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:53.429{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5711MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:53.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE75A40FC8B3470B92084A10B3AE9443,SHA256=DCE067F8E16E9DAE0FA4E748003FA25F77EEE162FA6E3D9BC4EEDC2ABC6DB8DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:54.398{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A67E90423D0BA6DE1ED23D21CC7C40,SHA256=94974B10BAB31FA45312386BCA245D5BCF8078DB1AF34226494C580B15313D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:54.444{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B17E611CD67338A9AECC7183C4A59AA,SHA256=BF36CA72757337ACAAF9C9157925DA8AB49BEE2A26AD9589BF93BABF5ACD3610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:54.441{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5712MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:50.962{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-32541-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:52.291{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-39764-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:51.209{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61597-false10.0.1.14-49672- 354300x80000000000000001288894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:51.044{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-32963-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:55.445{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13884A98FB32D76360BF486AF40E77DD,SHA256=4CEBA8C9D24CB43C432C9C9F69D446B2AB92F76A398F69A8B707874B4534FDC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:55.414{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF2C6A8DD797C09BFA3E3CBCAEA82A1,SHA256=840DC902F5CE93D763E8846A1BB351BADFC6BA689CAB83D36AD9C5EF87E80DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:55.117{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD159363F259E99A16980C1CC997DBD7,SHA256=A764B1915E529E2E382AA2331A03B5192BAFC466F3E5A734DAA51BA2A636E3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:56.461{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC68C715D3E7883C5B15F5450C3BEA2F,SHA256=5FD3BF4B55A4703084C19CDD972BE6A7C9691A82290FEAACAC72E6FEBB15FA14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:56.435{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616FF78FC9DFF3DB68B9402AD1BFC6D4,SHA256=CCC31B6203B695BB5E4FFA152B057ACA2D45F8AA782A740E7FC1D810FB869A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:56.435{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1394MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:56.367{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1442B9283E74EB16E2E13D315B387D22,SHA256=A8D69DF0DE1BC8926D4C7692FA63FE275B4F629720E8F42FCB73DF35BF715862,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:53.421{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61598-false10.0.1.12-8000- 354300x80000000000000001382698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:55.059{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51341-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001288902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:57.663{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02048522F5CDA933935AC5A61A897142,SHA256=562FF74F76822DAA00194949A5A8E2FCB049A375831F93BB2D9EE2E8B059C526,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:53.546{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-47108-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:57.476{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F068C6B9E5F12B0205A76C3424C02D79,SHA256=6E666D26BC63286524D4A78022B2187F7D703FA852E8389050C86FBF47476E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:57.450{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B81943A93AE1316DC3D8EC795672270A,SHA256=AD6C399513DDD2B161B8FF45AC340EBB674C98A5E43EF1AC1C5B570441FB8E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:57.448{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1395MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:58.464{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D4C10B54F458C00C62AEF9F0A39543,SHA256=4BA9C8EE2F696DEE257C8BBC571326EF66FA053A653DEFA1D74001B9E29FBE76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:58.975{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=525934EB7CAE460ADC355E28053F4D3C,SHA256=B83D5654AC223C30560FEE300600334A1D675ED6376CC1C61D430AC0AA837C84,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:54.794{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-54203-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:58.491{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9190D94228B99DCD582789BFDF45B593,SHA256=44BBAD94AE25078866C0B88DAA457DFCDB55426BC38A8AD9573DE96DA27C0043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:10:59.495{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706ACD15C926CA3A18B478AFE7B300E5,SHA256=2DA819454112203A7A3D5A5AA8D5EDC4C5219023021D65E7E9C95BB09DCA482D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:56.090{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-2150-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:59.507{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA9B128808F7AAFB0E834EEE5D25A1A,SHA256=0F7E96F91AAFAC30A666A7F01305CC6FD55498273C91E7BD7B5A0199FA400519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:00.532{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53F8D353D38686652B2666A6003D3F3,SHA256=947E5870352BCEC0C1A6D2547A4B576BF4D56BC492CFDFDF461801704CFBBBD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:57.513{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-9801-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:00.507{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6452F3160A4710FF31F41E38B8963BC,SHA256=5583352872C52C72775DE43CFDA4DA8F17F4C7BE73371B09BE7C4E0B200EB173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:00.335{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5AB8E37D76134E44620DCFBBB7AF8BA,SHA256=5D35B4790B4DE88178728120BFB2226369901E636497A5DA17DA46C5224121EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:01.585{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57E554CFBE11BF37A411D20CB261C75F,SHA256=371525817E0EE3FDED29CCC57421119A9B4273AEED022DD9DC642D46296DED79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:01.522{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F46B651AB4F329F6192917CA457AFB,SHA256=4A2572FEF4B87B059F622DA57806E06C02131D19070C3526DFC17498C1148F37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:01.546{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7291FFFDFA4B82DD3D9CF7683CDBD1,SHA256=FC7430D2CFDF64330AF34202F04E36DEBE7D38DB7097699D2DA4BF95AD74B0EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:00.087{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51342-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:02.576{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A218A9AE74259887A999B36C86BEE33,SHA256=1EA85A4CA4D3FBDDF37E30436CCA70FA725644F6B451CCB5469C14BC0CE7B890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:02.576{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD2DAB077AAD8AEF277986D9E322A5DC,SHA256=54675472E51C402F41B18FA72C2FCC10CABC2DE5A61B1653A434795F075D446E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:02.561{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33415C0BAE0E7E3E0FA19AB5C141C84C,SHA256=64690472355FADF371DD6D42B7F262203789F3429F8AD73347060AB2580095E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:00.014{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-24053-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:59.436{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61599-false10.0.1.12-8000- 354300x80000000000000001288915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:10:58.760{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-17103-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001288914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:02.835{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78FED36C4CACAD4A2A6559E13207F8CA,SHA256=986EC69668670E590D18E5F836D40E597C9714E3AE0C230205C1754D8C1F2AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:02.538{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2A172E66C57A9E5D4AD8BADCE97E5C,SHA256=3741F7B87D99CD2381250147E7CBA2471BF39556BAC8BD69A44F69A2335FBEB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:03.710{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A218A9AE74259887A999B36C86BEE33,SHA256=1EA85A4CA4D3FBDDF37E30436CCA70FA725644F6B451CCB5469C14BC0CE7B890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:03.575{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2FF6C21F50F1C1F98049DF6FFA85A79,SHA256=59717A4AFB7572CF97F4E90C464BFEE9E4A550348A6C7D907CD6829F3F7AB0F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:03.538{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1691D40567A8F488D59D3CAF75D824,SHA256=1139BB257273C67A2D5EF7A968D8FD37D00B7BB6C76D8E3ABD39295792BAC62C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:02.515{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-45152-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:02.491{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-44970-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:04.791{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0EBCB0C974E823152710A8E017E208A,SHA256=C85E0ED6A64A259330174A4F007667CE2E37A99162D86AD17B788E94D5670A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:04.591{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BE8E40072B7EFEA5F0DE626EC0902C,SHA256=AC6EE8406B20C260AA782F9970BF872DEE853D68CDBC25C6F2BE62CA82384B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:04.553{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8894F6856A0F611845EF59EDA2C94E6,SHA256=CCB3CA8672FA07E14E50BE0A60A90D2E6ADCADBDBA9BEDD4C7F6006E8D551B04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:03.604{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-49373-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:04.085{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8686279D98DDEB4797FA39C160A93B1A,SHA256=9D089F4A972E63D55A3C66D60C996B84FD2D3002DB17303CBFA2CC32DC565D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:05.569{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9574F7DBF51CF17FF890F5135CDC1BF0,SHA256=E4197010FC26340B1BFCA032736A8A7E12BDFFA8AE34E255B950F5D7BCBEB7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:05.609{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E9063C6488E5D6B3388BA19973457F,SHA256=63B17BAFE22AF96C036CB07A1ACE111E883437C4F4F8103028222C795895BB00,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:04.721{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-53922-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001288921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:05.335{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0D57A9B50767399671378DB253A47E5,SHA256=08F42D975BD77A84CC6B3C8082FABC9646DBA17FFA27CF641AD7BE26C210978A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:06.600{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A322D277BE30A8A6B8A76C830DA63B37,SHA256=26EE2E674DD4C399AC252D4E4F048417EC82BA798CABA214DD950D79DF0EBEA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:06.585{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB7170CEA185079C6CFBBDCB455C817,SHA256=D5D63AC3071C34F86F7A2905D336AEAEA169F3E1BF4D4F84D21FB338EC0DC3C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:06.627{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E475B71CB551A752809A242AAC820491,SHA256=D6D432C9BDF238B090F9EDA917E5E0B7780304D8FE2EA70406D12CCB71795664,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:02.511{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-38394-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:01.262{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-31362-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001382722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:06.036{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51343-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:05.959{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-58344-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:06.043{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FBDFDAF0FD5713C9DBC823476B26A35,SHA256=328E86152798A22E4957388BBF264FBAE0DB934C115A881FD4A101071D0915E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:07.641{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1DD860C570FECA64BC4667FA86B7136,SHA256=0AE6F3C047D0636B46975F62D5215D900F6839D677ABE9F65B10751CFE3148F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:07.897{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=470177FDAB5BC284BC1235C2C9499463,SHA256=71380943A914FD09188C7BDCA9456F240803543B344A5D134C334FEA9CCE96A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:07.585{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F337B9822F8103DB1C2AC59BDD52B1BF,SHA256=246E6AE6E6F58E299376B6C730A74F03144D8EBE020E44B3DA1827BA20FCD72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:07.142{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07887DCE8AD24856B806DE4DE7CA424A,SHA256=82A180CF2F59756CF83BA80196A061813731729940499FC3C0843D1DD8E46DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:08.672{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB57BB82ADFF20A94BA039749476FB93,SHA256=1AB987D40A434C22EAEDE191AD6CBB2DC1016318E9D5AB23864C28D8A117B7A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:08.600{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD10496F13F15D700C23517F6C02C57,SHA256=14D29CDB2027FE295D19F9D0CDF3D8014E1D7FB2B6BA7730C86CD54811F09AF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:07.426{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-19096-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:07.401{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-18944-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:07.065{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-4105-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:08.226{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11E80BA12A4728F819E155B02B6EDD27,SHA256=D9B036C1281C4B426949EBD6569DD0D1DFE13D7EE689B077E289AC4E0A101E76,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:05.029{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-52246-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:03.774{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-45081-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:09.687{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114F956CF9E617D84F9C99ED60B573AE,SHA256=DA9EB928ABEAF68E080F70407941EA4CA92B620EA684C01C1AC4DEF2AFD5E8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:09.616{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82555D500922E57902D444EB3AA0437D,SHA256=07D3D00FD0FA681EAC032D1A0398AAC68D52E433C52E34E7A894CCB475DFA8F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:08.501{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-26343-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:08.155{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-8485-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:09.356{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E57BC1EEF6A12335D26C99895BA0FF62,SHA256=2644A3D7B2495EFD7ADD65920BCA63333D231A46930C23ABA021A4B137B02849,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:06.342{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-59811-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001288933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:05.405{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61600-false10.0.1.12-8000- 23542300x80000000000000001288932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:09.178{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1ADB39254414D2FB859FB4F8E4211320,SHA256=D511233DE6436D8C42AC936FE9C210D9F03A8E740D7762B493D1137E916BAAA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.886{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC2E-6152-4428-00000000FD01}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.886{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.886{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.886{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.886{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.886{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DC2E-6152-4428-00000000FD01}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.886{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC2E-6152-4428-00000000FD01}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.887{5EBD8912-DC2E-6152-4428-00000000FD01}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.771{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6CED70BD12CAEBE01F1ACB47996340B9,SHA256=AA6D10D581DBC6F9657642CA9D387C150D82063008A54D9D117B7B2FFBA52307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.706{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B382A1AB8E2C77E22F36D1AAE86C7E5,SHA256=A87871D0840994F907E25800E7E0F6CBDBD5295DE87426D9ED8632D07CF294C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001288937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:10.631{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C209C5C51F49E6EB26AE633AB784634,SHA256=F63FBFBDDCBDFBADF317A53DA9AF1620B97D5C61145B873B97B6F9F8E2450884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.487{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C695695FEBE22D1414A0699AE6949994,SHA256=55C46B67FBED3480A6D351DB2932F2B6D6458649558E727ECE8F2AF5B7E9C364,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.209{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC2E-6152-4328-00000000FD01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.209{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.209{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.209{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.209{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.209{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DC2E-6152-4328-00000000FD01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.209{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC2E-6152-4328-00000000FD01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.203{5EBD8912-DC2E-6152-4328-00000000FD01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:10.428{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=272679BAE9657D357E038A20A81865A3,SHA256=6AD14165FC95A393679052F263C9C53AC9D416E0BD7E02DA03D300050934F84A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DC2F-6152-3BA1-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC2F-6152-3BA1-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.977{69CF5F33-DC2F-6152-3BA1-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001288953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.680{69CF5F33-DC2F-6152-3AA1-00000000FD01}17962952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001288952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.650{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7E1E699A34B96EC8F289309240BD5DB,SHA256=87238A9BACEA504DA3AD61D3B1870A211F066950CAB54250A16C0EA1876B0E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:11.723{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=319FDBBEEC1B3C8E981CD792E102897F,SHA256=F4BFFF58D917A79A259D3A45BB023099CDB945B2CAC85B91B472C816C63192ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:11.605{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8905F5067F8EF1A282F37733A1A6E704,SHA256=C62AE554C1C2707FF9D0AAF094C5ABC972728EE68FE26517C16EB892C6F9F8E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:11.048{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51344-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:11.012{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-43183-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.384{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-17335-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:10.228{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-57534-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:09.707{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-34407-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:09.254{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-12855-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001382754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:11.108{5EBD8912-DC2E-6152-4428-00000000FD01}6768136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001288951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:07.606{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-7895-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001288950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC2F-6152-3AA1-00000000FD01}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DC2F-6152-3AA1-00000000FD01}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.366{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC2F-6152-3AA1-00000000FD01}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.351{69CF5F33-DC2F-6152-3AA1-00000000FD01}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001382773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.807{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC30-6152-4528-00000000FD01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.807{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.807{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.807{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.807{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.807{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DC30-6152-4528-00000000FD01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.807{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC30-6152-4528-00000000FD01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.801{5EBD8912-DC30-6152-4528-00000000FD01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.753{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70EF406CFD844A7D706A52AED3337C6A,SHA256=21F6F020F3533E19CECCE8AFFD94F85FEC481D4D897BA338DA9CE8190DD5DB6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC30-6152-3CA1-00000000FD01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DC30-6152-3CA1-00000000FD01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.678{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC30-6152-3CA1-00000000FD01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.664{69CF5F33-DC30-6152-3CA1-00000000FD01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.663{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9835B669385F65B95F45D7B1BB565F1,SHA256=469F2CDA6ED1B1CE16D18DD574075232CAF186C7218CE12D2F1A1235E94D56B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001288969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:08.870{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-14864-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001288968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.194{69CF5F33-DC2F-6152-3BA1-00000000FD01}1520352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001288967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D7D083BD9B03FF2430B4611CB6A15F7,SHA256=5C450AED2A44AEA1130526A9CB6CEEDC8429DAE9F4F72D430FE432BD94BC881C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001288966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.991{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC2F-6152-3BA1-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001382764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.722{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCC341BFDC703FF7EC3573C741A77CF3,SHA256=36F089DE7BBED1B5A80D8CC3615D1DCBB58C59426CA12B56D095C359C02F8E93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:11.499{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-21637-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001289012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC31-6152-3EA1-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DC31-6152-3EA1-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.928{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC31-6152-3EA1-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.915{69CF5F33-DC31-6152-3EA1-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.913{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F43645EEA8955BCEAE3A21EDB5949ED,SHA256=D55EF5776602BE36F8335C50B8BF6DF33FA40DCC890E9E8D2644FFE5012E40DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.804{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C66D3BEEBBA143E4242FB93D1B6CA8A,SHA256=7DA102B8A56593A3BE900F34D0392217BD57E7A0A340B7CB300726CE03C9EE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.768{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD80B167D99710ACFA1ECAB8A40AB20D,SHA256=003B74674F7B8A89AEF45EEED5879559092DC3CA99540BC908D02CECF435DEA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.626{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-26140-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:12.178{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-51292-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001382782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.484{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC31-6152-4628-00000000FD01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.484{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.484{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.484{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.484{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.484{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DC31-6152-4628-00000000FD01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.484{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC31-6152-4628-00000000FD01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.485{5EBD8912-DC31-6152-4628-00000000FD01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001382774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.022{5EBD8912-DC30-6152-4528-00000000FD01}64166256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.522{69CF5F33-DC31-6152-3DA1-00000000FD01}34882688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC31-6152-3DA1-00000000FD01}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DC31-6152-3DA1-00000000FD01}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001288995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.303{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC31-6152-3DA1-00000000FD01}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001288985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.289{69CF5F33-DC31-6152-3DA1-00000000FD01}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001288984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:13.241{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45BC69850FEB927749E4CC0ED9585A44,SHA256=DBDF1B727BE679708A9608B80DA77F62C08548D7068291A92C1F04816EF32B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:14.884{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDE9683D66E445CA115F7B32BA44C995,SHA256=C3D61CBE526AF15BBEC6DC48D3B5D5920EA61AE1E8E660DFF6C1FA84CA6653EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:14.784{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5ADA43861428EF77A1526B416DE21C8,SHA256=BB6F1E054BFF18525CDC8AFB8F9EAA27CC170534E14BFBE00EE62C26650BC8C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:11.667{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-30104-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:10.592{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61601-false10.0.1.12-8000- 354300x80000000000000001289028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:10.418{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-22804-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001289027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.616{69CF5F33-DC32-6152-3FA1-00000000FD01}3512108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC32-6152-3FA1-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DC32-6152-3FA1-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.460{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC32-6152-3FA1-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.429{69CF5F33-DC32-6152-3FA1-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001289013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.397{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A2BCAF3039ED5A7043DDED1D3CE98E5,SHA256=1A3EDCD3964EAD1678BF7A602D143BDAE9C3E9078FA047DEE2C3EE2D440DAC66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.317{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-59469-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:15.967{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26C03BB9FF0875317EB0B824039D27D2,SHA256=A456B2931F9B5A08B102BF55103B62177822B6982D2F7E4ADA8ABD8E81B63554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:15.804{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5207B739DE19359D02B3496886E4F15F,SHA256=FC10B9EE170981F3DE30F1A565425BB93C8EB605CC229D3629A0B4B42C8E9391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:15.460{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17ACB423C36AB344A725A7BCB8DCA912,SHA256=59BDE64431C45C8CA748BE6A25FADB179B8F7252AB98FC54D19B9813A7D98B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:15.163{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880DB52A92BF58B3EA049E9388E56D55,SHA256=EBD3412F676D691F5FF81D182CB5AB3CD9F6C55F9A0C591382D7DE44DFF7D5A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:14.408{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-7665-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:13.735{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-30580-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001382807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.835{5EBD8912-DC34-6152-4728-00000000FD01}58486448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001382806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.822{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28F9D46BE30506C8B8DE4D832D78173,SHA256=3A8E2E6588D18FC9327489011F41AF8DB9AEC4E75F4FAEE85B67278D496D38CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:16.991{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFE68DB8CA84E187293907D10BEE788E,SHA256=C006D093C6A26B13EE36A7512B2E3A3122C4BCA87454919F3515328E03236FD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:16.397{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FD2E1D46BCFAFB6CBDD6BFD3A43155,SHA256=8067F24D62B945EB400873BCBA3ECE4639EFA0D461EA5DBB809A7AFE351208E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.604{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC34-6152-4728-00000000FD01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.604{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.604{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.604{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.604{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.604{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DC34-6152-4728-00000000FD01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.604{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC34-6152-4728-00000000FD01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.599{5EBD8912-DC34-6152-4728-00000000FD01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001382797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.551{5EBD8912-8CBD-6151-0B00-00000000FD01}6406104C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001382796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:15.897{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39328-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:15.601{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-14487-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:14.813{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-34847-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.851{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11734E6F91DF13BC9B41F4F766309A5,SHA256=0E4598F0C676AC938809431846821558E63C609D060EB8C2E77B362AA0CB8A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:17.635{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24399465DEA7F2F065CC9477C8570BE0,SHA256=67FF11808E746F5CAFE2EC8C44109C93BBBA43B8436362DD89DBE710053755A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.827{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-23284-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:16.091{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51345-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001382817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.353{5EBD8912-DC35-6152-4828-00000000FD01}68605700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.151{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC35-6152-4828-00000000FD01}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.151{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.151{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.151{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.151{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.151{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DC35-6152-4828-00000000FD01}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001382810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.151{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC35-6152-4828-00000000FD01}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.153{5EBD8912-DC35-6152-4828-00000000FD01}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.035{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C587A1BE97552B5F008D9728C8135C29,SHA256=93CCFEFE80749B99E8675D8DBA158FB11BED7E9D31CC94B4D65FC19249EC0FC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:14.168{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-43964-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:12.920{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-37121-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:18.682{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F97CCAC75E4AC4F430A3A50962D2D11,SHA256=93ED463E0C74B6E7D7423087737977B16EDE564B819CEEF4FF576D95F192B617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:18.901{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA435845039B577C7F51F54055854D99,SHA256=375E54B3C7E6F140B82D18B6083F96FABDDF91B9E22AC68C460A10854063526D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.547{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51348-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001382827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.547{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51348-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001382826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.439{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local51347-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001382825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.439{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51347-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001382824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.431{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51346-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001382823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.431{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51346-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001382822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:17.082{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-43831-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:18.182{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FCAA8EF88DC7CE13F2BA159D83D58DF,SHA256=559144EB3211EEC7D1A092E63E1A41AA43C803391CACFC9E21F05CC964F5B5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:18.229{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9822E6971D08740A20411937C37192B,SHA256=C7C52ED8D08B7904AAC3EDEEA99CB297A4774C65F0FBDD9E071D3DFDB246E822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:19.729{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC6B2D3DC91BDC9CC426B77287524D2,SHA256=28EE09F90A9EC3537591012B1D4EAEC8BE197F74A23CA04B0AFE2018F4045F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.998{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381007519FF7AC9A152C09A594603EDB,SHA256=4E37A0EEA82B2765C22BBE262E4CB4024089541594C0096943F73B343867FD29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:19.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E44812C79A30E95A78B47A3CD063FD4B,SHA256=48859E62DB8CDE295739755D647EE1DA08673EEA9E35415C6AC2DD82C097A686,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:16.581{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61602-false10.0.1.12-8000- 354300x80000000000000001289040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:15.419{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-51319-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001382863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:18.195{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-48417-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:18.064{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-31556-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001382861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.281{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001382830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.265{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1066DA1B4FCFA3B049223799ECAB9F67,SHA256=9F1B392A76188CB298DFF2DD2A6BE8C78588C6F06AA9B0FAD155FE5A0F18C915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:20.964{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26674321FAD50D35E02BCA3A4E9BD6AD,SHA256=78F197517820172838F4BEA5463C8A6A85EFA246CBABFBD2B82B69E588708845,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:20.363{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-57340-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.280{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-52828-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.181{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-39561-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:20.434{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=938E9C5721A5059A915BE91B5579E03C,SHA256=36FCB44B5F707297E1F02BA778388B7917AA5A9F6AC56E792C4F8BA9AE2E7FF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001382872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:20.003{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC37-6152-4928-00000000FD01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:20.003{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:20.003{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:20.003{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:20.003{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:20.003{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DC37-6152-4928-00000000FD01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000001289045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:20.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B6035B7438D84CB1F9A66C53F65A248,SHA256=0652A8A51CF3A26184A12B3AD2AD04FA2552E52D8494703D812AE1C10CDFFFF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:16.680{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-58473-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001382866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:20.003{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC37-6152-4928-00000000FD01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001382865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:19.999{5EBD8912-DC37-6152-4928-00000000FD01}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001382878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:21.765{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7718613528BC4F0FBD26B50EB6ECE16,SHA256=77AB1FA66A89B0E050D05A596BEA103C698EF616DC6F6216CFB28946DD17EEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:21.019{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC7862A7EB8D0BA39ED3C7C73A5CFA4,SHA256=87E386429D676C15FCA526FB78C8A43F6B1B699811D7A1864EB7A8AAF060550E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:18.015{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-6165-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001289061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:22.542{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC3A-6152-40A1-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:22.542{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:22.542{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:22.542{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:22.542{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:22.542{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:22.542{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:22.542{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:22.542{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:22.542{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:22.542{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DC3A-6152-40A1-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:22.542{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC3A-6152-40A1-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:22.527{69CF5F33-DC3A-6152-40A1-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001289048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:22.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BE09F236911ED7059E16EA66BAE457A,SHA256=5296E59967C3A75DEC0074DBB3FED5D672E961DCD172B5541DEC66C78D38FE58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:22.042{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3C04546C2C5B2F734EC87C922BBE17,SHA256=5209840B3B44DEEEE4CE5CC6869906AA0C16E936E9C7B1B35E4CE1665F21B14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:22.882{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF003F5400582280A6017B029234A825,SHA256=E182B6ED74BC55BDC6BF36933E71FC33805B6C7B5889213A43A41757CAB78235,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:21.581{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-55472-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:21.542{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-2989-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:20.423{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-48196-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:22.035{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1775390740456085C0429D9FD63A6C8C,SHA256=2D22265DDF387BC6FA30942336A9F471A7A3CE95D975764F3F9258C474DC7482,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:20.563{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-20693-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:19.311{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-13675-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:23.385{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D71F69AB9D18F5C37E89426F4165C6D2,SHA256=74B34603071762FDE36C7F217716B3799B9782C697F0CF0C89BFFBCBFC6E7E4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:23.073{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ABDA418B944C53641F4FADCFBC0652C,SHA256=7278C387120674A8660EBE37AD2861E0634FAC3A10ABE78891684406F0827123,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:22.111{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51349-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:23.104{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E516AA628BBD2694491BAFC1F5B7436C,SHA256=BEEF616D346C14BFD4AA9FB2755ECDADA1C2C33C1E730A3BC1C71A1B82C33875,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:21.812{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-27549-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:24.667{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32C7501227F316CE0D132E5C542817D3,SHA256=BA8BC0465132F46643F19A1306FD2E2704985DE261C37FEDF1457ECACCD5BAD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:24.323{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9985FA4F5FF475240164F50891D7F356,SHA256=F730F49AFC68AB7E100DCBDBB9D3B81EDB1C12BC6A48A8141894ED68F5B00A05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:24.280{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-13725-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:23.926{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-12322-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:23.163{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-8864-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:22.789{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-4491-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:24.119{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D590D669CD11E9F33AF8D14F1E44348,SHA256=EB82A5F756CFEF54D24212875319BF6B46699D15929AFF0FDAAD029118B003C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:24.019{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CB4AA3A3DABADD88D77BA197D16A3EF,SHA256=CB794EB0EFA23AFA7713B4DFBD1764F086D594357D900384D6D874B443B98CB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:22.581{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61603-false10.0.1.12-8000- 23542300x80000000000000001289070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:25.542{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE36E96C37A123A089DB4F6ECB68155,SHA256=7711158A3280193AAE42178AE314D45C4A562B77C969C61602D043B76A1FDEEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:25.035{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-20558-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:25.134{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66776E5E95FAEA23370749400544083B,SHA256=28F84461EE3FA79540B94DF6F35FE3AB9503735326F9C239AF7DDD0BAC6A3BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:25.118{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF9F2EE0DB505F3F2F8703F824725A11,SHA256=26B4903C97D7345A0CD64A91319E167E3B6266E20C3919D5DF926C35C8E65BCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:23.093{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-34548-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:26.682{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A06D448A15F7C4DF8D282CB9F327FA,SHA256=E60A25CF5D9FB12FA98D21C0A8CC8D8676FE103E10B4379B5F9CFDD4BFD63136,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:26.135{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-27956-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:25.365{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-18062-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:26.280{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C24801DCD9F10442FA08BA10E164FC8,SHA256=D63CB171D5C594ABB62B023B6036DCCA3667E18EFD05FF1FC66A46FD0BDAE56C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:26.149{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4213C3C01BFB45B452F1100F0E07A7,SHA256=4525EDD1F77E7FDF004424F45AFAC502FA8D3DAB66BEB5BBDC30839EBDA82FFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:26.057{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A713C4F2372574B92B32E0583A44FF8,SHA256=835E8D866BC8762BBE39FC97512627434FDC34A76BEC8D02919BC90D16D728C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:23.194{69CF5F33-7F0C-614D-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.15win-host-542.attackrange.local138netbios-dgm 354300x80000000000000001289077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:23.194{69CF5F33-7F0C-614D-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-542.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x80000000000000001289076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:27.823{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D00EFB8972F489B8B86DD8201DEABC7,SHA256=D4D73A396BB229949A406AFC18CB6FA223F87E01AA43AC8F5F205F530D856361,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:27.547{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-26773-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:27.296{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-35931-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:26.463{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-22362-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:27.463{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08C0A0BC3351A899A9EF6CABFEF5A555,SHA256=33C962A444A150AAD809ABA4997A2A19F67A9384B9A4A8E53D1FF7BFD98763E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:27.179{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBCEB2876DFE8D513B3F494DF9549566,SHA256=901F1DA6D132C6C55FD4809C6C1EB07CAC2EF3B73008E787AFCA0C90C5A28BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:27.323{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=956BC1024C37EFD4C4ACC33894852A4B,SHA256=FF4048B296D3974BF19276763FA84745EDC0FB3BC63D0453E3F1FFC6BC017401,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:24.501{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-42129-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:28.839{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7071B2CC55CB896C264725CECBE1AC,SHA256=995449DAE6987EA206959B9B46B9E272F959B797C31A395E8AC87E6D21C7A849,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:28.090{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51350-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:28.547{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B847A0D3415DF71690E4A575FFB10FF,SHA256=8B60571804E86E9CD0BDE7EFB869738060524AF675A74AB08CF896D019BB49DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:28.200{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6322DB0D6D2EC6B53A683CB395277D13,SHA256=7EDD53BE46994BB23790BDE42C0AD258657E557B7C35B5483A518368D8856454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:28.573{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FCB88575A8D6C9EB61B5B1679B82D10,SHA256=444A3C6757A886490353B0161B0F158DACD307B075B1298D181994C176F4DF77,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:27.039{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-56101-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:25.749{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-49265-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:29.854{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E10E033161CAFABEAEF6103DDA2E8703,SHA256=8655461D6593854341D64710502234DB18C1EEEA1C124BDE8CEC026F86ED8D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:29.854{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B12219888E7C968FBA52C532953F20,SHA256=4B490DAFAB36738048E6E1C0080F15472BEAE569CEE1B5B13C277A0DB9DB5EAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:28.708{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-31085-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:28.478{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-43687-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:29.846{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1661C02113DB461A8CF4A9C4F9E676B0,SHA256=42DAE4692EA603B1DAFD1DEA130C6CB13B67C3CEEA603EFEFDAA9A5D8CA432C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:29.215{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24483D30D003815514D8BE4F7693783,SHA256=36AAC3922891FA071DF0AF5EEAC0DE29759B2E07C0B5CFECD3E1606559130C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:30.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270B9CDBD3609F1BBEF1AA0EC1D77E54,SHA256=F57F332CFF504A650FC04209A4B0985CB103EDA9F0D0B684F86ABD0B7A1E8904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:30.915{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F91378A5B7C2FF6A99162C9DDE2B0443,SHA256=CE7F352D22C0F258D87C5D89965C0F3FA0536B824865E1F911AA85D902CB0EDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:29.659{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-52210-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:30.245{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7E02ED5996851D9AB70777DC22DAA5,SHA256=15FA94A497E3C077C397E950FC52D196DE1B61CF268C2E2C529B1C1BCA9E01F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:28.596{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61604-false10.0.1.12-8000- 354300x80000000000000001289089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:28.453{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-4589-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:31.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C889D930CA1736C856BA5E9C5FB0B5FE,SHA256=CAF0F0698F8803DDEC39721B67823AA35387B931C21FB50122DA5C05D0DDF695,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:30.890{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39912-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:30.859{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-1438-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:29.806{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-35370-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:31.246{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82D9F5A182D58F5CE67FC2B9D8A958A,SHA256=184D03BBE4DE87DC3438EEE5F28A89354C75E41A494AA5EBB63AD75B9F2064F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:31.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD38950AE031ECD42C1C557C32F48A07,SHA256=538608ECACAF1A7499FBCAB6AF8393AB4C6C38F05095F492C4CF78550AC3605B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:32.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC27820E097246BC0F28C7E7FC0BE532,SHA256=A343CBEF03A81B7A83B306DDA41BBC281B6EAF640883503712A0CAC623C8DD08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:32.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60AED891175E23465E5CAD5F6305DBB6,SHA256=FEB28E186E090FB67621CA75D7A602825B631FDCA68D2ACD6A25241F63D588BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:32.308{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-58876-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:32.271{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-58551-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:32.108{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-9405-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:31.976{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-44268-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:32.261{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29CA4DDFD5ADA2944764C6A92ECDAD96,SHA256=A07765E533B576943FE8DAD7F434D2EF9B6C5DF787C60EDEC63C30D351191989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:32.046{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=292F8750E5F8C0D10D6E83AC3CBE0365,SHA256=1E7A1D2AFA733F5BB8A81AEEAB58E97B6C7B133C9726B9AB7A8D49DB57289356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:33.901{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19102DAE5B5189AAE02DD0BFDD8A58E9,SHA256=0A532B7A4FDD7EDFA7BA25EA46B35384DC3F41B255C605132916778B0CC39911,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:33.259{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-17659-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:33.059{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-48673-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:33.313{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49458AC170DB49BE67BB3983FEC5B3D3,SHA256=E0FC539266A9EC460F40E63463FFE34902953C9C1EB4D3AF162E3EE518F39501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:33.129{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2A5864A44D13647DE2EA51FBD78CB81,SHA256=394CAD52700D85EB56CBE0109B1B76FF135C0CCD7F78FC4C91AAF6EB3401FAC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:34.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100A6B0EDCFFF8FD6E5426016360E524,SHA256=A25469D4D28166D1010D6DC68970F670E8F2ED2C5497B487B1A72DB18C956C4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:34.526{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-15526-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:34.354{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-25343-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:34.157{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-52934-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:34.037{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51351-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:33.437{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-7522-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:34.344{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FDFC05504CC053839F75B5B8585A6B,SHA256=9441B47C97421AC8A24E299BCB39D8FF12E9D4758A34D899B64AB013C28B690F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:30.016{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-13202-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:34.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A0594EAF04A3F4A7ADD445076A8BAAD,SHA256=9DBA45180F8CA59A8B7CF09F7525D51C39942F02CB755CC5113A075872DD93AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:34.259{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D7F2AA776BFA94EE0735445CC8DD6DA,SHA256=2C407E3D83DDC103A8B7D96E222D856E572E8797ABA3BC0556026ED181D2B1CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:35.932{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92CD19FA6A9AE4AA8EEBF946012E0C24,SHA256=0EC33B5DBFBF5EA50481517AB3705C0D5B1B9CE3FE65712A74E4498F43485B09,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:35.443{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-32736-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:35.341{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-57431-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:35.474{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E3C1ADE6BDCE52E7F12B9FB660087F5,SHA256=1BA16EE4ACAA49F4E659F1977D9AD404E037FB2FCEF47035869FE6D1EBFA02F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:35.374{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B408DBE6DE1F41F81A4EC697A86ECFF7,SHA256=984D6FDD862257CB728488FBBE1DE8323D57E5E18477D7B4FE9D23C04CFD2D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:35.448{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1249E4CBFB1900B9FBD44BC3F50731E,SHA256=F7474CA3BB28BE4728B0880D9795A142044CA4D39B5DDAD47BC0062B54D28ABA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:31.315{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-20691-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:36.948{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC422FC30BDA15BE9A392CB69B93CB59,SHA256=CE446CBB429FEECBE8546C49F44CB543692B57AB9817B7503FBE5AEB53F44A18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:36.688{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-30964-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:36.528{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-40196-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:36.504{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-2905-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:35.605{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-23229-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:36.611{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D72E995749347D8333DDEE726B03A78,SHA256=B10A80D5F22E0DE279062AEBE608F5C6A51BA25311348EE7E65746EF67D57AEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:36.411{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D45017875CB69D88A536EEC9AE8554,SHA256=00761A55777E028757E34D54F36FCF6E661F8482D19D32EE1DCDD599E30A691A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:36.698{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC210315D041E7AA2ED4314339E5B283,SHA256=DD97038FA4F3301B3879FF3B39E3ED01D292F5BFA2503554336EF719FADDC500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:37.951{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F6C5535A0B74E29C1690E805BB3EF1,SHA256=E19380B7DEF4A88F4760C51E1FDA21A8F0E2D960F00B9CCB5856049458CDCE11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:37.951{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE8BE57E5310E2BDAA2737AF5B3BE78A,SHA256=FA6DDC27BBC1CA1758DDBDD1C2E0A8BDCA13E4C53B59D4CCA67E487E7D04EC0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:37.637{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-7539-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:37.624{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-47552-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:37.694{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F4D0271249AC8DEA92CCB8F167078C3,SHA256=5C47D2AC272210C7C357D9EBD8F32A681561D92E6A5596C5C4BC1302508002A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:37.441{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ECDCEB6E85B3A538052B071A27ADB94,SHA256=AB1F01DB70E0B18515EF3835B7D626A9CAB3A1D263CEBCBDEE8524A87A5EADCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:33.875{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-34714-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:32.624{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-27494-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001382952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:38.720{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-55297-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:37.839{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-38956-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:38.808{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B04C75C7B2AB5C940DE37BB678A5F829,SHA256=DCAEC6C997BEF3AC99DC2511CA93482B8A410EBF496DEFE4C345FA269CDE3365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:38.455{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2360E5A9EB7430F5DA1ADAA3B9B7E592,SHA256=4DBA4703FC06114AA0334545160EDFFD7ED52EF4426BB71EDE29F9BA5652C5EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:35.126{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-41741-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:34.565{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61605-false10.0.1.12-8000- 354300x80000000000000001382957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:39.201{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51352-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001382956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:38.975{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-46375-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:38.738{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-11931-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:39.872{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11AEB557227C4F26BD6525925307086E,SHA256=6687B66BCFD12C2BBD184FE119B5FDAB0BD826E3C9089A2287EC0C441735BDA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:39.509{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1C6CB13DC2AF973070FBDCC8C70F13,SHA256=62B06DEC722839982513813040067055E18434EF9AACE7D2D2EB2DBA572AA32B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:36.575{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-34677-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:36.539{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-34489-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:36.509{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-48596-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:39.310{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=931311157F523347F455512DA7DDD505,SHA256=1D9896B5C3679A31EB302DCDDBBBE0FD621B234E066B66C01A660F5E924AEE4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:39.060{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1363AAE4477CCDBCA6B47208CBB36242,SHA256=A24C924375D587B5F85AE3CEF871AA71B7F65721E0F893B1893781B9F3DCF95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:40.972{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65A2A6DE3C290C4C323C6A3F92159842,SHA256=DF702106CF8F63116D65D1FA8636001F931F7990296E50FF0F6867A4458D05DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:40.510{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66485B6A4D2C839CD9012DC599DC07F,SHA256=AFD4182EDD42D8E3574E65E93EEF800E5B08046102D7C9E9B7DF3CA7160EA9CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:37.697{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-40720-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:40.435{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F1B1CD034FBDEEBDFF1EB959F0E5346,SHA256=0C665EE0EE8DC0A93B9D19632167C1F58BF2AB96D979C6E92E1DD7549524C9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:40.091{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F580B4A7059E68B50E74AC42073776,SHA256=EA0C4A7218863B8618A1EED0348A23EA3CAE6DEE27140CCA84CCC306F478EFD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:41.540{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583948C2F549018BDCEE0A2F3254B89A,SHA256=4B1F48A4B8BD9A58481C04AA1C2D91EA68F9080309633072063EE5A9B8A5EF4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:37.798{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-56089-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:41.669{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=500BF611D1D4DF608169EA81380EDF07,SHA256=E2FC008E6826348F0900679241AAEDD477597CC0B2A1B9DCA67B7C3BEA1FE52B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:41.107{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EB75DB86B1E2CDD6D0E9308FFFD17E,SHA256=8B2572E10D55611109574C1EB740ACB634FBCFFB02E2E424EA24D17AC763C537,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:40.135{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-54575-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:39.955{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-4795-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:39.822{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-16361-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001289122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:39.049{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-4450-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:38.821{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-46585-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:42.763{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEE668C5F990A03EAA78D2CCD3470463,SHA256=E46519D7CAA967DCADE0B3712E20DC99F6D935AEEC5775EF81736B51CF8A6238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:42.107{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B30C1D0D3ED094D2FC3BF847833920,SHA256=943A51BDEDA878E8E099AF52EDDDDA73A9C65226C11D34512C1C3204061AAF8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:42.543{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11CF02B805AF615A2065654EBAA3CBC6,SHA256=858662D61457D49111B3EF7C2E881DC7E4BF96E39CE9558387A6662C0325475F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:42.044{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=891D3D6B1209DFD42CEA682BB2F51124,SHA256=01AE6CEF293C8E44463F1294AAAF5C517C1A7D1BC34EFD88479F1664A9826357,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:41.249{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-3712-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:41.051{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-12425-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:40.901{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-20650-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:43.557{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4068F6F5E60E85473AC072E4E186915E,SHA256=2D55FF522771483D8CF5CFF2A59A5B0A02A62B664F409C47D113BB76E8AD1408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:43.841{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B1BB812D8D7D789B1E5527019469C66,SHA256=17D17A52A7639E793BE73D1518AB9FDE3C65C43B898E9565BA2113DB43446AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:43.341{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B4982707CA7F58F942AD9B34344A9D,SHA256=A133AB3CE6CE9CFA0AC78859AC06099E45D7D965BDA29761B860B9FF9A764EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:43.227{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=920F7C35B3B4CE1D14462281D3C93A3F,SHA256=DB3074AE861BCAEA3231D700F9F59FEB9FC479A796BA08EE30E27C99A29FD044,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:41.984{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-24851-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001289128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:44.919{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0178B47FE710CC3D51822889B299487C,SHA256=0F64D019F61661EA2041C190A1AEFD5F5B4E92832B9A0D26D336C3569188C4B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:44.576{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFA24A218BF22994C69B499A7D71EC44,SHA256=3A62229216E7A0D59BCC9F47120E5DADF1D76761B2564B8359023F51DADA0901,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:43.788{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-20221-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:44.572{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A305FBC72B8C1DD4F3F8CB41877235,SHA256=F2DC3FB582152DFB4EBE8139EB9D8927A4306AC74E3D63A011BE4B07C9FF475C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:44.341{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9187D0C43A0F78D829185F1F8E842977,SHA256=FCC6F54662C5E330D21C71223E3EDADD7293A6DBF7D1FB4181971351297A31D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:43.276{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-27757-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:43.072{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-29247-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:43.021{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51353-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001382974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:43.021{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51353-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001382973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:42.387{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-11164-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:42.172{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-20162-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001289126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:44.263{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=646227C6DEA701B4762092C941647E29,SHA256=2413FA3F71BA5D4C0D249823E7F8EA5BE1B9DC98E71250DBEAEF11F862013B14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:40.042{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-52780-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:45.794{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B589D7A16F01C29C1C2AD558F3B43E4F,SHA256=0764FD0AA94157ACDF9CB7E699DE83483AD161F03D651E7CAE1B337E621256C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:44.953{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-28949-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:44.625{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-36586-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:44.252{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-33550-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:45.593{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EEEC41EC961AB660443223E3466B89C,SHA256=4E5A3FE5730ABB02F805D97042E354C82E9D11A159657D13F265D29C7C4A826A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:41.597{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-17353-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:41.137{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-58611-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:40.584{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61606-false10.0.1.12-8000- 354300x80000000000000001289129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:40.300{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-11332-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:45.440{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=835EFD54307808FB3DA564B1C44A887D,SHA256=86E13A4DE4446D04896162626B4FAC3554694127B16A2CCE712E630413CBE52B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:46.810{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2312AF755EF0A6BAA468AE8BAE046A70,SHA256=AB74E18C11813CA10737228F54D528494D58F829231A71856AE7A7187755CD8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:45.727{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-43843-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:45.354{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-38199-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:45.202{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51354-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001382987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:46.624{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F321B3243DDFE267062D493F3DD6BA3D,SHA256=8F80B6CD12B08146BD0A03E79F9A2B5D595AAD875FC1A8AFC8E7931A2C6CB087,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:43.293{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-10825-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:42.986{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-24838-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:42.213{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-5383-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:46.013{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=847700B8DCA9725443070F7DEA389E91,SHA256=43FCB6F7813BFFEC6B7C8E6A74F88040D61477A959768E7454A319B9B3DE09CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:46.508{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C066FA25A264A01D5CC2A681E11F364,SHA256=6CF71C3D1B210450D4A25833369386A62F7F12D444B787B662CEF8DC41E8BD45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:47.826{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3AF9CB3D4A391D818A06D51DEB0A86,SHA256=0886652C29B6CA346468B2D09AD91DCFE1AED8D777E70A62EA9C0B27664F8EE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001382997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:47.146{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-44435-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:46.823{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-51610-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:46.439{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-42337-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001382994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:46.058{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-36580-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001382993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:47.654{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A0273189D3D2FE3A2B3731C872DD7EA,SHA256=ADF7D7B74AC119733B4C47F701EEF2845B93502C9B977ABD412A5D9D3857BB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:47.060{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92451D901275284831576A32FD184A90,SHA256=84672B1A6FC21C649F4F69214DBC40CA937DDF5CC6B80FD1B3BFA2A5C96AED29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:47.029{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:47.589{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=326683F23A5CCE6EF52E96A3C5E8669F,SHA256=76612FC45DF9FD8A3854F830D45DCE92847C473789F2FD5216FABD5E5A9E1504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:47.539{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:48.841{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1987AEE1FB73ABAEC5B0374580AF8F,SHA256=07C33476A56F31F9857B88780F5BA6220E24FDDDE070A82E0F09400D6B521D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001382999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:48.669{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468FAAB2FBE5E288F6960E0CA0F5ADDD,SHA256=EE21A63A9D2DB3C4E27B6365F2CFCC1041C7E3DC1246150E7714FFD2EB2469F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:48.310{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A59CF51D6F4E3421BDFA3FB51BA50F80,SHA256=7EDAFABAE0FC12414767DDAA11FF67C25D0A39D1732237C2D44C8CB8A2AE38B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:44.415{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-16664-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:44.237{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-31732-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001382998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:48.606{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93362258BE94BEE8355F2253997E5106,SHA256=FF397EA40C179099817C19FE7F1DDE504278C505E81DAEBF6D66D8200D8F4B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:49.752{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3822AE99CEFA1E7E5EE7D3F9598EAB9,SHA256=413374303C153617D748836F4CEBC4E43C86A4FF715D169418ECB8F3235E5713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:49.689{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A09DF064FE167229AD5D7027CD4B938,SHA256=12828E5329236FF14E88CDDC8A234DBE2306EB18ED990AAB390383EC311BEF9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:49.497{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CE0C68B1B3CC0A450889CDA3D7A7B46,SHA256=258ACCAA201EB66A9CD7C3C06DE865532BEA334363B4D22E25473091D1FD32CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:45.603{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-22697-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:45.486{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-38716-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:45.365{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61607-false10.0.1.12-8089- 354300x80000000000000001383004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:48.599{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-50943-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:48.526{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-53630-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:48.516{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51355-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001383001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:47.913{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-59143-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:47.522{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-46657-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:50.836{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FA6905778E2AE4D64BA55AFDFA30C0D,SHA256=7463AA17F948F7F970D88FCFEE2F9EA124F8576FB196E0EE240000CE4FF7478F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:50.704{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2E0E4702762DF602738F707FFADACD,SHA256=3EBF3B0E509587AD2057E64EFF766159CF819AA8F2879869F0DB9A8EB3771182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:50.576{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F371ED28F6F096D4E6770C3F0AA3BBF2,SHA256=608473CE88CA4AE987BBA723CDAEEAF8B4A7EECA975EC23D1C14D6D87C05A517,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:46.812{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-45765-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:46.697{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-28523-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:46.411{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61608-false10.0.1.12-8000- 23542300x80000000000000001289150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:50.076{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9011D7D65366EAE1C583119E61CF2920,SHA256=D5A0BAF7D197ECDD2DBE5EC32E3E2635526CF92C4EA95755CC49E2B508B9588E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:49.642{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-2274-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:49.036{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-8076-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:51.704{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66586A2B88D265F8D493ADA0358A1B21,SHA256=74CF4DBFC1ABF9196823DBAAAA541FF50709D1B12F1DDDBFEDCE3015B2C9A79A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:51.654{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C2FE6A59B3A6A336DB0E842A75C360E,SHA256=D694A9926F2E6CF64E3B21422E7DFF479034A71A9445477B0F34BF041D2DD485,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:47.869{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-34633-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:51.091{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3ACA4DEE2168A34540835CF9A2AB69,SHA256=3400424FB50F78E91B88E306E3B04E3460140103187559EE3C9658578F7DA1BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:49.682{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-55173-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.719{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48626F9C30BDE3E8951B51D1C8CDF71,SHA256=9A19E690871ED19B2F85D034E1B125FBEE384F41D5B5C1F63F4F0D527E3C7138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:52.747{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F1D831A4464018D6C4E6CF7F5277897,SHA256=856B44AE3BAE519B239745A86719D18FC6A7A2F2B85F2187D156194BCB612C8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:49.329{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-59663-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:48.947{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-40028-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:48.080{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-52795-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:52.107{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8142F7372D6301DE9920FB012EAF9052,SHA256=C8C4811EE7E03E1014E585FBBC0404AB97E9C5A81D7A61DF778CC926470B2C06,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:51.930{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-4714-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:51.908{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-4563-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:51.885{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-17923-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:51.296{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-23556-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:51.176{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51356-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001383015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:50.765{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-10161-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:50.765{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-59274-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:50.135{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-15910-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:53.865{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5555A9C374453DE0D7ACDA1591247FC7,SHA256=AF5FA11F07372F43F480265675B28BE9264EACFA5E258EA97A3624D7ABBCF96B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:50.581{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-7669-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:50.026{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-45455-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:53.872{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BF11373A683BADB0254643434A45773,SHA256=EA78BCB543943F16F0D0BCFE3A6F3C5AD943EEBCB33CDA5ACEBD941F1480A23B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:53.122{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0596406C3CDEFBC7CB0D57C2BBCFE2D3,SHA256=3CFC539F1AE186CD9782AC7A0F4B0C6A0B26AE9BA4C8E368048F9BE704924364,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.989{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-35102-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.947{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-34930-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.914{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-34742-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.891{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-34464-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.856{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-34263-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.832{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-33934-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.806{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-33720-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.781{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-33521-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.750{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-33328-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.709{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-33112-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.672{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-32950-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.649{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-32769-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.626{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-32590-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.603{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-32440-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.581{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-32298-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.558{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-32144-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.535{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-31990-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.512{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-31754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.437{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-6409-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.399{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-6335-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.377{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-6200-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.341{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-6123-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.319{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-6062-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.297{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5995-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.275{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5876-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.238{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5791-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.214{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5736-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.192{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5665-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.170{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5606-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.148{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5529-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.126{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5447-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.103{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5300-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.066{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5203-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.044{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5071-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:52.005{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-4927-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:51.967{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-4800-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:54.882{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F9B2AA8FE9C77FD550B9D845319E90,SHA256=2AC330053CF1D338E990035528BDB78FB8B1F8624A3E5047E6A56DC319B130C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:54.970{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5712MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:51.832{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-14564-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:51.135{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-50881-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:54.122{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75858CC475634696B30E7E0F5473E68,SHA256=7A80BCF7DC9A7E98FEB9684E2A0293450EE45138E8198A282528DA7C82DDC7BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:53.034{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-35362-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:55.916{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3084E789D30B71DE083976B54C6D0212,SHA256=F5F058A80F0B55BC773713CE0A2FE9988A05F4057E8098A965ACC5757B950CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:55.984{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5713MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:53.084{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-21381-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:52.427{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61609-false10.0.1.12-8000- 354300x80000000000000001289173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:52.258{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-57137-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:55.138{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A76FBABC996F5588D41C20E278390B,SHA256=B02C541DF4BFB00CE6B0473205512ADD87183E7AAB0284B6E2B9E69AA132FA30,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:53.081{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-35933-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:53.057{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-35725-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001289171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:54.997{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B79767D61293D801340E3AD05165CDBC,SHA256=364E3003065727B439B938F9CB5D6EDAEB26E0338F1B2903F0C3CC720A26D931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:56.930{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007F9E96C12DDC23E8DAD51CF30F9A8C,SHA256=4F82F6F863A4DAE71C530E34494CC6483F32F81A596BD2D74815AD5A5A40905C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:56.153{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232B249AE65B097DC53343C9EDB9F38B,SHA256=548949D6A6C170D2F1429F860BBC5991B90A1CE6C703F522843A5408B4D56665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:56.075{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D64B46E9DB382B41295B6D15C7D264C1,SHA256=463D70F2D6F399F19A2BDCE39DA27451A033B44F0CC7E535820FB5B557BC1481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:57.980{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1395MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:57.930{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107105A86CAD01220AAE4AFB39EA806E,SHA256=95B428ED7E0307F14E30E4BD31181564D95BF8AA68307714C45424CA668B166B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:54.106{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-54587-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:53.369{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-4299-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:57.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F9E8798ABF7B1971BB0477A5EABB15E,SHA256=1800910105BB54BF7108565DF5A051508AD1A24508DF4A6B86AAEFD18958CD9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:57.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED0CA93E4E0B32A776FAC6E9D7480D9,SHA256=846E5B8167E07DA75E6B5F91AC42CE6CC7D31E6E48A64E81B09EECCC63FDF0F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:58.989{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5228752179CF6C11D08FA4BEE9B8C59C,SHA256=750AD910AB595BA2DDE75920FD8421CEBDA0F478FACA5D9EB4248C9165195BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:58.268{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2683D0A224D8B11ABAF9D366D03A1F8,SHA256=20F627554475840C8B18D98AE181C641BD800D70CB491C6BDBCD9F255F9CE79C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:58.159{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DDB8AE05E0DB0BBBF9DD2F0027E847,SHA256=1D1CF2CC04165C98BF39892760BD432775874541399A7C290E9CAAF3381B7A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:58.979{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1396MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:57.208{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51357-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001289185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:54.446{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-10288-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:54.332{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-28232-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:54.136{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-54839-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:59.362{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79BD6DBF287A02A000772B18D07FDCCF,SHA256=A3F7F7CC33A6E3A9623BC7E7FD589F9D14FC10217AF87D23B012B79934143EDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:55.388{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-4521-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:59.159{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5042ABC001004B00C58ADD6EEAE05D6,SHA256=0AD28FCFA7E6FA7D530F5605AEB0C08A497C02146AAD9DED0C62DDC71ED4599C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:00.440{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4729B116DA8F64DAACFCB08DDACAB480,SHA256=A22286C52772FA52FE558418BDB1D12BBAA1CD5FD20E23BE0BF2184F85EB866E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:56.837{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-41521-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:56.640{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-21965-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:56.468{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-12065-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:55.585{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-34596-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:55.541{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-16088-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:00.159{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFEABFC56F06543E347D70A442E98292,SHA256=8EB373FDF798E82FC86246FAF50132BBBD6889FC612A485E72ED9BAF7864D8CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:11:59.998{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE08E6FC3096AF6856235F5B85BBB57,SHA256=796244B395AD9F8C54FA23597BFC89979321306C96F6C50D6C07470F0BD05EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:01.012{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA37E6EAF3553F84FCDAD93DCA6954C,SHA256=10627EFDF0488DC99619BD80AA77D0D21FBAF307A87B36C7D84FDA8450FFA98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:01.534{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E41EC315E1F28DE467A2E8DAB7243347,SHA256=6F3815F4958A4229A356C11D87BF1548FE77F727E299CE2BFC52F03C8B53C28C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:57.733{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-27706-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:57.547{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-19547-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:01.174{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=404F194A0C7ED4F23430250F85CE8574,SHA256=AA34C21AE17F5CA82CE1B838D4E089F9360AEA18ABC023AA718E886C72BE5CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:02.027{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB581BD7013258062CBA9754698503B,SHA256=70CAAFD3394D356FA5361358DEA0C2BE39E287669F1CB944109070AFB9B702DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:02.643{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=517878F604C8D4B31CEBFAF1208DDB70,SHA256=B8312B85391C0A4943BCFD30E5A14EDE32E176E37E1B2A83F6333B9581E1E38D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001289217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:12:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001289216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:12:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x14f4bd2b) 13241300x80000000000000001289215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:12:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b440-0x83f7a192) 13241300x80000000000000001289214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:12:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b448-0xe5bc0992) 13241300x80000000000000001289213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:12:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b451-0x47807192) 13241300x80000000000000001289212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:12:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001289211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:12:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x14f4bd2b) 13241300x80000000000000001289210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:12:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b440-0x83f7a192) 13241300x80000000000000001289209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:12:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b448-0xe5bc0992) 13241300x80000000000000001289208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:12:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b451-0x47807192) 354300x80000000000000001289207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:59.339{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-55054-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:58.812{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-33416-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:58.642{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-27308-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:58.416{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61610-false10.0.1.12-8000- 354300x80000000000000001289203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:58.088{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-48452-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:02.174{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCB893B1971370E473CCDCABBC0EB39,SHA256=445E2BB266AD3B5962A60D0142976C1DB3173A7493F4156170F15F7D44D17EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:03.768{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D647E696FE5EDB705EC1CB602D7A4647,SHA256=9EAE0B19E05B09CBBB529DEB6D5BC44DE0A53962633C22369E96BCD72E98854E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:59.913{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-38993-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:11:59.833{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-35102-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:03.315{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F548F21E0E6B7426454FA3F0D081D8,SHA256=E8894B0DBDB175BB627C17C21A3B7DDB4DD86C0965604D925313ED79F0D6B6AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.199{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-37562-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.174{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-37391-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.166{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51358-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001383079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.150{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-37061-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.121{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-36658-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.069{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-36538-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.039{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-36448-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:02.992{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-36389-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:02.967{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-36020-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.041{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E85750C9A03F3E1250094F18E370A51,SHA256=EDCE144DFCB9B33E5028AB3F632B02EE88757231C6833150194D88435CFF886E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:04.846{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44B6AF83D611C5D3E37783079265D072,SHA256=FD642A5AC6D730BE78E332415E7E8DB381C553B01A3A0ECB9768E847D83AA3E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:01.018{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-43395-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:00.587{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-3075-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:04.330{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5793FED68615814231C1725427F49B94,SHA256=7B97ABEDD1A254CB94C9F589EDFEDF55FE87A72F780E760147743C8C100C006B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.140{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-44033-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.103{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-43816-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.059{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-43643-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.022{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-43486-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.998{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-43262-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.955{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-42734-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.891{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-42567-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.845{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-42444-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.822{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-42222-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.786{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-41834-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.726{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-41577-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.703{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-41401-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.680{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-41221-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.655{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-41055-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.632{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-40741-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.596{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-40567-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.573{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-40332-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.534{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-40151-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.510{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-39863-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.472{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-39680-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.448{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-39476-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.422{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-39273-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.398{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-39097-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.373{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-38914-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.350{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-38647-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.311{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-38450-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.288{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-38232-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.264{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-37943-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:03.226{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-37752-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.056{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8996B528778AC42E67DD4C77F1E98E52,SHA256=B2B16606D3AF2E8424EC167FFD733819FD7E63B9E9FBAA4B464D3851BE0888FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:05.924{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07FB3A5A19882E9B97D39EBEA9B25AF5,SHA256=B5270FCF9A614B634C46D0146CB24CB3FFE595D7C63CB8825D1431C9B2B0E49D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:02.140{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-51654-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:02.055{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-10882-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:01.155{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-45413-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:05.346{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFCC64F1555AAC9D1EFE4D7B55A44CB,SHA256=CA680DFF43EE13B1155865EC2368248D9359F3C32246C1725C576CBC2E1B5047,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.693{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-48119-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.669{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-47832-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.637{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-47507-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.607{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-47192-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.565{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-47032-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.529{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-46785-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.519{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11028-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.489{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-46598-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.489{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-10642-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.466{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-46351-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.431{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-46168-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.407{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-45886-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.370{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-45722-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.347{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-45541-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.324{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-45331-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.295{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-45101-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.271{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-44829-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.233{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-44694-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.210{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-44581-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.187{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-44434-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:04.163{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-44295-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:05.294{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44EEC6FCB857B6375EE525B278D94A9F,SHA256=9385A225A057090CFE1843E0F074CAC74332F22E3D86387FD227D85A50A9A3DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:06.324{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8A51D5D2F2CDFE5BE1E0919A99D38D,SHA256=EED102E981EBCA0ABFBFE0C8C00E0B41B1A81CCC52D5C4400F012109BDA1614F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:03.217{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-59104-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:02.248{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-51217-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:06.362{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A53B4CEDC109A8FCF4F1754089AAD04,SHA256=0063543CF357E78B6FF4BCC8FB941D76A891B6005E04D613391EC4C32CBB0854,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:04.484{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-4296-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:04.295{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-7583-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:03.432{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61611-false10.0.1.12-8000- 354300x80000000000000001289238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:03.373{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-57331-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:03.304{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-17814-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:07.377{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A44A368C66FBD15B3F8028918BF654C,SHA256=A8B0BECE1495A1AB41EFECFCF1B474F2AE605DB76300DC8F9F117F8ACA354C1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:07.338{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E5AB02FEBC915FCE2E18DCBF5891A56,SHA256=E861C9D172964B3CC8725398D7BDC3EAEF8280D708E67CD3AB39EF7DEF2BB403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:07.065{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF45F0E5BA60587F4815162FA2FB3434,SHA256=198480C304086CCB41ABF2BEF2677760948DDC742BF2ABEB8FC9F1E4B4B06B15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:05.452{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-15363-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:04.650{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-24542-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.455{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42AE9C376A94F4CF0878DF2E036AFCB8,SHA256=A3C3EBA524C5E0DDBDEB689C24F471029AE318206B2A8A8D5B056A55741E5D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:08.422{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC8D52BACA4D8C0D1261D0C546F209A,SHA256=F300DBB7C0017DE8E013F5109BB2B7F1F3BFD9E83D5500873982F88651FC4866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFEC2B3FA495971DA88A954D976A99D5,SHA256=A06365F12750357C7A320F564B9F8E4AA791A9CB257E80492693811588FCE76A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:06.739{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-15602-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:06.610{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-23090-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:05.899{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-31682-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:05.576{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-9875-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.471{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF88EEF58AC39BAD6CF9E35F782F8015,SHA256=6CD9DB1819B9B90DC075B7638E736E0FF91BD346E373FFA3187C59D15CC6F563,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:09.146{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51359-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:09.436{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081FD7EFCE2CA85F6AAADCFB334DA1E9,SHA256=7BD9934C04CB145F17208EB7D74F6841096F551D3B0BB502F4947B8C12DC9A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.408{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24E6AA0F990191D702200CC6F33F7622,SHA256=470BDE0BD2110E1B386ABF3215A661354F3222B05C8529D653E2481C7F88009D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:10.487{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B644761C1A949353B0BA37BB8F2955A,SHA256=A9AAE86E41417D6D93CF6661991B9B64DE1B85F1F5B47F2C2F04F8980A990E1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.890{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC6A-6152-4B28-00000000FD01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.890{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.890{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.890{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.890{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.890{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DC6A-6152-4B28-00000000FD01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.890{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC6A-6152-4B28-00000000FD01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.891{5EBD8912-DC6A-6152-4B28-00000000FD01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.790{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B3EBCCC6529195282FF96A723E5059DF,SHA256=D66C29B8901AAC2E98AD0D4053FB5F3DF048FAD9A2CA02298B3B846EDD2B5379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.468{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B397847DC8A9F1D3EF01C0D0CB8B686C,SHA256=EA6477312A1C51A2E4C5AED014ED6B64B39205F1B8E32570349E40832247ADD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.235{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC6A-6152-4A28-00000000FD01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.220{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.220{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.220{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.220{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.220{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DC6A-6152-4A28-00000000FD01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.220{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC6A-6152-4A28-00000000FD01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:10.221{5EBD8912-DC6A-6152-4A28-00000000FD01}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001289324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:11.612{69CF5F33-DC6B-6152-41A1-00000000FD01}24402292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001289323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:11.502{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA14C8D97F66F38AFB2A1DE22456A5B,SHA256=F0E9D5E4774F3050D79DA39FF4091F415D68FA01D42E3B233E92D7652CD2C2D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.832{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-38918-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.810{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-38683-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.807{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-26632-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.776{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-38389-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.770{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-26515-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.747{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-26313-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.738{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-38217-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.715{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-37926-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.710{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-26178-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.682{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-26042-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.674{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-37549-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.658{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-25816-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.622{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-37430-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.621{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-25691-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.599{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-25555-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.592{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-37213-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.591{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61612-false10.0.1.12-8000- 354300x80000000000000001289305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.574{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-25425-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.555{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-37094-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.550{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-25218-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.533{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-36939-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.512{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-25096-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.509{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-36819-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.488{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-24974-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.486{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-36703-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.479{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-45787-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.465{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-24830-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.464{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-36550-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.443{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-24700-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.441{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-36379-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.419{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-24551-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.414{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-36051-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.400{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-45274-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.395{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-24292-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.372{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-35631-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.360{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-24039-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.333{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-35427-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.321{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-23807-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.297{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-35319-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.287{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-23576-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.272{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-35039-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.234{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-34766-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.196{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-34605-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.175{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-23013-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.173{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-34397-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.151{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-34050-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.139{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-22790-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.110{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-33855-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.075{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-33506-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:07.964{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-32864-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:07.939{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-32572-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:07.901{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-32283-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:07.865{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-32051-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:07.842{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-31904-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:07.819{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-31740-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:07.797{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-31600-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:07.149{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-38527-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001383161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:11.536{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290F22626FADAA0876BE990CE3846126,SHA256=E33D58A8EADACD31D4CB0A00B069FF4977F84185DBDF31F900A6DF1BAFFBB958,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:11.393{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC6B-6152-41A1-00000000FD01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:11.377{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DC6B-6152-41A1-00000000FD01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:11.377{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC6B-6152-41A1-00000000FD01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:11.362{69CF5F33-DC6B-6152-41A1-00000000FD01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:11.221{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=469C8193D972FF12DA4B4E30BAC1C7E7,SHA256=92494091A7F1A5F49A91EF401B015819B519CFCCB2E7D9E17F7BC3C8BD938C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:11.221{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BC9716A2E37E3BA1FDD088E224EC359,SHA256=B493AEA064BD010EB1E263253837FA5632BEAEF2450195A7D5A95A809EC700DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:11.052{5EBD8912-DC6A-6152-4B28-00000000FD01}36364732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001289387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.987{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708E224E2D494D4660EA4BF7FB09768B,SHA256=80E96E28C3186FAE3E37B3233160416268587EF45F42FB82DCEB669EC572F6A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.971{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA196BCA62EA7D49D794C6185D9CA57,SHA256=837A66CA71C17896DEC5D0B3F0F2890CC8797CAAC48024F1802C4D5E25A0B083,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.955{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC6C-6152-43A1-00000000FD01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.955{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.955{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.955{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.955{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.955{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.955{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.955{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.955{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.955{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.955{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DC6C-6152-43A1-00000000FD01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.955{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC6C-6152-43A1-00000000FD01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.941{69CF5F33-DC6C-6152-43A1-00000000FD01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001383170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:12.720{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC6C-6152-4C28-00000000FD01}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:12.720{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:12.720{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:12.720{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:12.720{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:12.720{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DC6C-6152-4C28-00000000FD01}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:12.720{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC6C-6152-4C28-00000000FD01}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:12.721{5EBD8912-DC6C-6152-4C28-00000000FD01}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:12.568{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D14BECBB7C89F172B75F2245D51607,SHA256=29682A0109B0924B1EF68EC21524581F77AE3848764553CE752A2448CB538947,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.499{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-43429-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.477{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-43269-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.455{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-43020-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.416{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-42833-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.388{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-42436-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.339{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-42191-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.304{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-29186-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.298{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-42048-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.283{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-29076-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.275{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-41853-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.261{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-28909-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.252{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-41518-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.225{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-28810-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.214{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-41264-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.202{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-28680-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.190{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-41028-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.180{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-28473-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.168{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-40727-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.146{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-28096-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.111{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-40362-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.107{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-27735-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.078{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-27551-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:09.024{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-27454-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.988{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-39885-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.963{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-39801-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.962{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-27371-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.928{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-39678-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.925{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-27271-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.905{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-39355-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.903{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-27109-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.868{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-39048-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.866{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-27011-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:08.844{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-26836-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001289339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.393{69CF5F33-DC6C-6152-42A1-00000000FD01}7363004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001289338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.393{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9535929AC79A97C68EF24BC0669D2766,SHA256=CDC878BD927285A7B43F4F484D3FE75514D9C0B8128ADAAF7ECBD59FD1E14436,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.065{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC6C-6152-42A1-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.065{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DC6C-6152-42A1-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.065{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC6C-6152-42A1-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:12.050{69CF5F33-DC6C-6152-42A1-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001289401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:13.987{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BD21C2C942EB49BD9047340CAD09B4F,SHA256=0073976A1568EFC66B172FEE5DA0C35C78C8FAAC0C1A04E9FF09EBB86E6901C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:13.735{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=469C8193D972FF12DA4B4E30BAC1C7E7,SHA256=92494091A7F1A5F49A91EF401B015819B519CFCCB2E7D9E17F7BC3C8BD938C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:13.588{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2252BB94EE676192EC779409E0CA253F,SHA256=D7B8EE1F38B9413E6A8AA234748875FF865D60B685A9446F3EB8BDE479FBD807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:13.643{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC6D-6152-44A1-00000000FD01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:13.643{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:13.643{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:13.643{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:13.643{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:13.643{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:13.643{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:13.643{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:13.643{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:13.643{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DC6D-6152-44A1-00000000FD01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:13.643{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:13.643{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC6D-6152-44A1-00000000FD01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:13.628{69CF5F33-DC6D-6152-44A1-00000000FD01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001383179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:13.572{5EBD8912-DC6D-6152-4D28-00000000FD01}3325764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:13.389{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC6D-6152-4D28-00000000FD01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:13.389{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:13.389{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:13.389{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:13.389{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:13.389{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DC6D-6152-4D28-00000000FD01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:13.389{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC6D-6152-4D28-00000000FD01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:13.390{5EBD8912-DC6D-6152-4D28-00000000FD01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:14.619{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6241DEFDDD9C1AF3C5DA081F7228E16,SHA256=25E66168ECB5F909BAB36CB96258ED63B36561F73BABB2F4AC18B044ED28348C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.862{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC6E-6152-46A1-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.846{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.846{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.846{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DC6E-6152-46A1-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.846{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.846{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.846{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.846{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.846{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.846{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.846{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.846{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC6E-6152-46A1-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.831{69CF5F33-DC6E-6152-46A1-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001289416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.158{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC6E-6152-45A1-00000000FD01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.158{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.158{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.158{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.158{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.158{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.158{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.158{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.158{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.158{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.158{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DC6E-6152-45A1-00000000FD01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.158{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC6E-6152-45A1-00000000FD01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.145{69CF5F33-DC6E-6152-45A1-00000000FD01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001289403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.143{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E9DCE7766F44F9DDE66D6E76A9309C1,SHA256=986D4FF45AB817B7F7BBE0F2599434C1BB2BF9267086FBC9320B8F54280235E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.033{69CF5F33-DC6D-6152-44A1-00000000FD01}20601924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001383184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:15.143{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51360-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:15.649{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F5C6FA036061C16AB051E52B88456E,SHA256=118B86628D6EA3E98F3A0DA2220BDF776E6378C8326A0D6F90702B55B53EFE0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:15.283{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9952A16010DB67B6C183C58154DBE29B,SHA256=32DFA5DAAC72B753C5072D0A2594FB6C91FB2056B943177F3DC78CCA1C8A0278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:15.283{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1835EE5337C3BE7BBC3B529393AE22,SHA256=C8FB781D9D83D008990C6E354AF9CA6ABDFCF08B1B8C2DC0FCE6E0338BD13C47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:15.018{69CF5F33-DC6E-6152-46A1-00000000FD01}38283904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:16.817{5EBD8912-DC70-6152-4E28-00000000FD01}14845352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001383193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:16.670{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E79764B983F41E93248EE30F644E753,SHA256=28B4A077A4873D730CF82E8FCC4E265968687BEB103D298D184505105E398A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:16.299{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A1AC2FE985BD418055520EC942EABE1,SHA256=F63E0DF285D802C1B93EFA549CEF4407EE06EBF7D861EF9F0469C0DC8967DA74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:16.617{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC70-6152-4E28-00000000FD01}1484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:16.617{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:16.617{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:16.617{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:16.617{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:16.617{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DC70-6152-4E28-00000000FD01}1484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:16.617{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC70-6152-4E28-00000000FD01}1484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:16.618{5EBD8912-DC70-6152-4E28-00000000FD01}1484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:17.687{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F53616932C59B7E2049731A7578A0EE,SHA256=093C185DB659D6AB5CA6F449F5AADBF47840A1260BE88E952A6B514653BC7BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:17.299{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1E43A9E37E27C49FD255F0A9222ED2,SHA256=A87A37DC7740E6C12DB7EB12DCA24CAED308F96F3E615FE99FEF7B77E8ECA5F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:17.619{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=455CFF4E0544E399C27ADF7D3EA48476,SHA256=2E146F14F697264F43439E512BF43F61795F0C82DB4AF5603256E3B356847370,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:17.487{5EBD8912-DC71-6152-4F28-00000000FD01}61244044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:17.285{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC71-6152-4F28-00000000FD01}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:17.285{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:17.285{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:17.285{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:17.285{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:17.285{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DC71-6152-4F28-00000000FD01}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:17.285{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC71-6152-4F28-00000000FD01}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:17.286{5EBD8912-DC71-6152-4F28-00000000FD01}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:18.702{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95223FDB900F48F0B18B6DC9D2B205C0,SHA256=810A1DF115F7B1E9585FF9A9AB8E139A0DB528791ECC6B1EE0E7826C0895A2DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:18.304{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDF15A41D1166367D85BC48C09D5169,SHA256=18F2F22427EA3A8195BABB1179BC015F6BAF55B306DBE2273BE320664D3FF516,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:14.463{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61613-false10.0.1.12-8000- 23542300x80000000000000001383207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:19.716{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A291D5D2AF9669B226A939110DA372,SHA256=635DF44CB6CA7A3CCD0DAAF4A96E35566EB9A1B0291DAEEEC33F669BE94EC4CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:19.320{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1799BEC33E12CA5EE5406303444CCC4A,SHA256=9A7FCD10779820D72B3839C3178EC095EE8768B27B9F2F4D738844D5205E45D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:20.731{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D490E922EABD211F2BC63F83D5C08A26,SHA256=1A4F005121256466C8943A393DACC50F3E23222DE48FE78E7FB1E0A6249DF375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:20.319{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF195C84522A23D078BF9AADBB68B7D,SHA256=B2B4409DC7D9367C81DA900B9690B9BD0D0C54C025DFEABF1C1142F559A731B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:20.212{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51361-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001383218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:20.300{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:20.300{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:20.300{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:20.000{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DC74-6152-5028-00000000FD01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:20.000{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:20.000{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:20.000{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:20.000{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:20.000{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DC74-6152-5028-00000000FD01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:20.000{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DC74-6152-5028-00000000FD01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:20.001{5EBD8912-DC74-6152-5028-00000000FD01}3088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:21.745{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4C5F7B682C214B29EFF2DF9A27C212E,SHA256=910B25DBFA5CD5056D38818362BBB5E29DD1D55655467F81DBD162E39D0BACAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:21.335{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA91DC3F810D5709070623A782C6FAD2,SHA256=DBAF21CF65C59270F69A6C5F498B97AC0DF8F35325342118CF0415E5DB89BC35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:21.015{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6C581ACA1324579B1FFCA79D38E60E3,SHA256=CFB55D87A306DC5E5A0E39E952BB37CB1E16FE9F99A460CB5B12BD99A1F23F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:22.797{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BD6391C7A64F210B53042474853E48,SHA256=AAAC85E319A28DD59A21EA99CA3029F3ABBB045B65CD9E4F0D8DAF442A641987,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:22.554{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DC76-6152-47A1-00000000FD01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:22.554{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:22.554{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:22.554{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:22.554{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:22.554{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:22.554{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:22.554{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:22.554{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:22.538{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:22.538{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DC76-6152-47A1-00000000FD01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:22.538{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DC76-6152-47A1-00000000FD01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:22.539{69CF5F33-DC76-6152-47A1-00000000FD01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001289440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:22.335{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BB2D896EFB96E114C42A2B9523A627E,SHA256=31D34E37F656C6D2E6B8BF8BB255DA3E8CB800657E09B0441DB8C457155817EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:23.812{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97ED6CAB9E16BA8D05653FC521DEF278,SHA256=AF7CB9AFE3B9A7985FA269C0BCE326E26005F63CF2CBF0137EA03094E4564863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:23.569{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D51F07538A5B4595BC1FE1BB80AA399,SHA256=A6FF7F4E9BBDB5C90DBB6A75BBD87D599B44EE29D4E78C563C0A5E9B2FE11A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:23.569{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25E3B43B581847979D24FD45BD7191B6,SHA256=250BC295FB59CC566965B6F69D04EBD9C97D7D59E8DBF303BADF86EA41215F05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:23.351{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDC67EADBA337BD63A30C3BEE806DC8,SHA256=8B45CEC6E309C6423A8AE93FBF616E4C166861EDFE1ECB9EB810DCE9358C44FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:24.826{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812D30189E01AE1F2D64F135CDF05B9F,SHA256=26A2A04DC7A60C5ADB681762A59CF9E055D5D9DFD24440EB7FB6E46533607A42,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:20.421{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61614-false10.0.1.12-8000- 23542300x80000000000000001289457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:24.366{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2385438BE9ABA8FF04D6E82905C4C336,SHA256=4B493B15079AA61B9501B2595F7FBF26E091C6ECC409D2EAD68292D4189B83A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:25.841{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE5348AB13D76DB12FC7DC029C6A2BA,SHA256=A9E2A6B1983903A76F07B5C986C8D8CF3FDB8227B183917D67BB1BC734E5AC6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:25.382{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A7A1A3498FCB4E61620294738A6EE2B,SHA256=FD9E06954EB9EA8BEF5F16A0291A817DC8E37AF1B1BC16D03C22B714DD59D960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:26.843{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66BD0247A566812FE4CB4C67766F6FDD,SHA256=5B8C9A6EB6679DCE570EEBBF0E981E7417E25EE8EC5CE45C22FED2D390392D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:26.382{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A533312E81B57068B7E52C779B04147,SHA256=8093EB24E33BA6AF0B8A26C6DD534238580BA6CB713CDC06F735FDC02E8B17FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:26.172{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51362-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:27.863{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C8379CE1F57D7B65E5757500B0B119,SHA256=E34F141CC316A0836ABF82ABC0A86609C0A85C13C10E56A99C887FE73EF9B028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:27.398{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B27F927DC769F09769422EAB28E5A4,SHA256=F4CF9238747184264555CCABD92A9D043008D1E461EF9FB14383AFFD2BAE0F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:28.894{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A652EB29E0C64CC5AFE7ECF9389409B6,SHA256=51024A7F8466CBDFB9B4CB0EA5BB58F5C55E8418DDB8DFDD0B57905B20C0A7AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:28.413{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823550E06847686D4B6F45CAC451E13D,SHA256=80CCA95C47FAC731B98D94CFA9DDF6B46F4B5A2EF4FC676E20D8CDF90DFEE85C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:25.546{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61615-false10.0.1.12-8000- 23542300x80000000000000001383232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:29.924{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36783FB05B80E651BB9B45714CFF5C94,SHA256=E60924EEAAE881DCC2DB8363CB9AB3FC4BF76D1B0F5EB1E5A5BA1327B37B3E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:29.663{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D436756ADB1D259FE4A05D2D5231A5C,SHA256=4C5420A06774F8DF56C0575FABE80C5192FA268404D33DACC5CE42D2EE7B9199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:29.663{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D51F07538A5B4595BC1FE1BB80AA399,SHA256=A6FF7F4E9BBDB5C90DBB6A75BBD87D599B44EE29D4E78C563C0A5E9B2FE11A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:29.429{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28C5DD35549FAF7A401575156CAA517,SHA256=5ED75F61F4EBDE648188AE372A22F4D64E58615E96113641159B6D4D55EB4F75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:29.685{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261616-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001383233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:30.939{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1A04E0EBE12D14ACD5D3AF41B3C38E,SHA256=AF148C9CDC08C43A14ECF1C829A5DFA5BFE0AFB3C24CE12B40E653F562B10B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:30.929{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D436756ADB1D259FE4A05D2D5231A5C,SHA256=4C5420A06774F8DF56C0575FABE80C5192FA268404D33DACC5CE42D2EE7B9199,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:27.006{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61616-false10.0.1.14-49672- 354300x80000000000000001289469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:26.946{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-57322-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:26.922{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-57263-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:30.444{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72741C79295089B8297A84D2FDCAFF11,SHA256=C48C4D7DFE2E185A685958A7B4F17301B2CD7384D7F3B4727320109E654497A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:31.957{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DB20E297E9013239A1F6C239CA5065,SHA256=B6B5CBA62B5EC5AD2363D3E570E081C8FB352D6AEAC4F03E6E0DF301EECFBFBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:28.748{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com4981-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:28.050{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-3804-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:31.460{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98EAD818FEA4CA6D35F220BFAA24F35,SHA256=E5479F550904B2518B9D55C91B63142BEDDC6F49BCF6DC7F1799A3339F51C405,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:32.151{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51363-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:32.974{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06350269F5B6CC9A3C37D508AF65630B,SHA256=36DC35DF7AEF1AE990258AF638E06F57F6A3851454D79E6B13B96DD1A4039748,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:29.319{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10162-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:32.460{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A26A89B8FED0187E33CC2678989DBDC,SHA256=1FE4D34276F6B28CAD4ADEBC6A3F7F859F127B1C4216814AFCB14CE59FFEEB7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:32.069{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1239DC74686C93B5F61EA0423F5A26F,SHA256=6BD24A6E77824B0746C78D8F663163DC44C6D8C9FC5D890076F7EA803A133FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:33.989{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96A9CA6A20B62F1CD4FA9B147B6ECF8,SHA256=05FC9C13D9364C021E2092E3137B5B7E7CBB7027508B1BDAF3BE82698B25F94B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:30.442{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-15364-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:33.476{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=147A211B45BE7615ECC22997DB5AA535,SHA256=E932E115113794C8B0310E4173D3ED18A4EF7918B0BC0066DFFF38C0EF639707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:33.163{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D76D95082447F479C22D0D04C26E4CE,SHA256=9455ABEFEB7BFF9FD6DBF3AC6CD71276BA8D844823B973C4ED945F1F2EF65A72,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:31.452{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61617-false10.0.1.12-8000- 23542300x80000000000000001289482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:34.601{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132EA584091B454E76DCC887935D788D,SHA256=4BFF73180FC986624EE120F029DD6BC44D9FC6D08C66503EC2AB4D533BEEBF19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:34.241{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=669B380C54FA23BDE5288FD60632C4C0,SHA256=7133554E63C040587B8E1868266167A4E36839ED4BE09DF726A170BD6859FC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:35.835{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C323ECADA5291250E80173196F4601F2,SHA256=B9413C70C9C954927864842D8FB95DD54DEB84B0736F17786166B89F26F7624A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:35.004{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89790ACE034DC20CB6B5C2A87C92E624,SHA256=E0A88373EDCA6E6296742EC712FA9B0F272676A9A6C4642880ED633C7B0AF5BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:31.535{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20806-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:35.351{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54224F14EA94BA0B8F9A5826C2E75C3B,SHA256=2B190C5E91F49EFF337FC94FFCF9F0A4A08379016766A11A8F1E805490D83D64,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:34.848{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-429.attackrange.local138netbios-dgm 354300x80000000000000001383240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:34.848{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x80000000000000001383239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:36.035{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256145745B974D68B85CD0798105BBC1,SHA256=0A5CBAF40CAE078CB5800F28BC7947E57C19C1CCEBFBF931151F1C6784289597,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:33.732{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-32315-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:32.625{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-26688-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:36.554{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91760D47DE99A773F0FBDD043C487B5C,SHA256=1A090A84FB559D3E4295DA4A97FB9AB790EF5017E65E4908B11AFF7D86D32B93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:37.166{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51364-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:37.054{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFB8460D1D2C32BD49248B94E5AFBFA,SHA256=B302D5102EF75C3175967D51C6646800787DDECF450F6DD8DBC3CA59E37F5C0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:34.926{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-38592-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:37.636{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28EC4B6D9B12D19AEDB685C769A12AAB,SHA256=F399342D2CC9C2FEB0076748506E06D807473857098DBECA169A04BCD3B28392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:37.054{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B0F71DF0A96D48F3F63EDD4D3D956B,SHA256=244CF448CE99326E5A9184275DC2612FB065E3D018C7D3082C86A4B18EF3E90E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:38.854{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4647FBD4E050BFD30C84733848CEF8C,SHA256=3C9176A14ACB7A6F14450BCB55E6ECBD613872975E7717FCBC1B77994561CEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:38.136{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A51FE0AE34376BA4A2A21472288F18B,SHA256=70EDA9349A9E4D732B4746084CC832156D4FFBAEABD51CE8B968ABF772651754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:38.070{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4D0F0D8D6714CB1060A6C825E5912F,SHA256=A9770A06D21F33CCB2AFA2B84B2186E2AB449CF91888C4333F310D8F371E69C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:39.932{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45762BEB011881ED0091E0752E047638,SHA256=C0FB9F7A74DBCBCC82CCA0C8627DD1FBD7B3FE8D42CEE79B5BFABB099661DC62,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:36.030{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44161-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:39.229{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11CCC992C96A3AA917CCD44C07AC4D0F,SHA256=867B42D465404139BB79928B82E579C1464AFBC39B4EC0C9107D75A9CEC77EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:39.085{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63215DB4F65C099AFD57D0FA70279CA2,SHA256=DDD23BDA0AAD1565369834A30793261654B06673681443A617EC735A7782FE96,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:37.456{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61618-false10.0.1.12-8000- 354300x80000000000000001289499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:37.226{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-49656-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:40.464{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF301FB07705241DA5A18C624582392,SHA256=5E7846920AC1429210E0BB4D0534FA3785E437127D3DF26910766BC11190C1A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:40.100{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1685918A864E69DB7A15E21785DC9F31,SHA256=8523314B927F574B76B15911ADC467F55FC1E4CD806E17D0C7ABB198DDC9A9E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:38.322{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-55346-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:41.557{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7411366BADAADB7778249ECEC44FAE36,SHA256=E4A94AB622D6E92DE83AD0D3D2FB3F39527D120CD4E7383A11689FC47EAE9C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:41.130{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85719BD86271AC22D24760AC937ADBF,SHA256=F26F208632CE4D239540B3C590713CD5049CCC05162FE82431A3C4B3EE5BF02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:41.073{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E329BCC3D4E5878CFD54B111E1184F60,SHA256=DA5546653BEB19D093CB000C88677464B49F0BA23960D3E6B2969BCF0FF31270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:42.573{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=999F09CF2F1D3816E04E67497889CA96,SHA256=271C44D1166C34CE8854B522853D4FA89F8F0574C07A22847C398679C371B603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:42.147{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB53FC25547D5FBCBE3F78CCB407E2F,SHA256=84CF67C63AF59F4B15553B04377C19928B070E2F4C356FB9538DE02CFAC56149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:42.229{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83AC51B2EB67DCB13537D726602C5597,SHA256=1F0DC6D9B9216B0130CD82D2F39CE9F86CA13E79763F4A8A9198224C932900C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:43.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FAEE531C113AE0C96A9E0C23BFF8CC,SHA256=7B60BB6E5C994CA9E4CE9560A098A3B6B65ADFFCD2803019CC505DBE01E1A06A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:43.165{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983B61B16EA5750A8920248230643AB0,SHA256=84B3D0731A4F2920B9871CD24778741DEDF47F721F57C9627073A5981AF6E3E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:43.323{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A3D0E8DFCC5B16EA04D9B7CAC8BEF27,SHA256=195F9F000AEA3E8E54C9EF7BDAF016887DAFB241ECE4335F04F721110A2A47FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:43.049{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19FF3D1B4707E05D4AF46766BC299413,SHA256=CAA1CFF345BE384446E7612A857B95CB943EC1CF1DA3C17FC7785343D6095B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:43.047{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5182723133BB02B035871052E5CCBBA7,SHA256=6BA242A698C06FFF15BFEC5C104E82E5C41C7C36C5D76F3D3117286F4144E562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:44.604{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AF620118AC2249C0D59EC26890C88B0,SHA256=45DBE59C01663CA5BC072F1B5C527C9742B8E559D6CD2B33B9AF9760A5FFE36E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:44.180{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E06E062B3F74A182B9524C9AFA35489,SHA256=9EEA0F8C2693E7FB6F2E5663FD483C6C5020ADC02E4432A0145D67C63E55E946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:44.448{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1E06D84A251BB379E1DD6E26A42F7CE,SHA256=0AA3EE6EEC1189E07A7D7F229EA3041F63FF813F02B614F33A30AE52E8EFA0B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:44.276{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E348AE53046A3DCDCF7FA41E94169E79,SHA256=3F1313E9B0BF8519E0824B3E9CC8BBCEBC5A7920D67411CFACD54161C2765E3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:39.460{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-1865-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001383254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:43.122{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51366-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001383253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:43.022{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51365-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001383252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:43.022{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51365-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001289515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:45.604{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC17BE9D1E53EE77D89C795F1A01ADF,SHA256=F2CD2DD24AF0B18DA0EA6CDDA771DDF11C8D7EF3D3E4E623B2877A67350F6FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:45.194{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3A3FF7BE18521AAA29C1688BEFED88,SHA256=9283AC65E6449CF9A2D45EA6232DF6F832BD3B9059D26B2617B9F13EB4CCED95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:45.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D49F45467A7571158EBE198AC5CF775,SHA256=74C7ECA996D52770E77369521D0C5821D09D4496E33C310A5C93A7AD78C562A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:41.718{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-13193-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:40.605{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8028-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:46.776{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D118AD4720CE0105097EB33C5472C0B,SHA256=A5ADC01FC093ABE67B6EBEB044DD62026C3744F874C4420375415E6303D11EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:46.620{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD978BA24362046F957516002D0ABE1,SHA256=E04AB9FD3A9986376CE282E64D31204F7C9CE0B3D79F24FC24623ED5D45296CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:46.209{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25DC58F370137FAF16D5ED9CB3E1360,SHA256=D8C23E18C0254084265CD5E16244108A1C16E45E21BF1B9332BFF80AC9D8170F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:43.393{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61619-false10.0.1.12-8000- 354300x80000000000000001289516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:42.827{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-18535-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:47.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCAB890D75E62419CB05EBBCC50724BD,SHA256=205594607EC020511251FDBCFA97FD00EBDF43C968F8EA7C058B1A2B84F5A28D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:47.636{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CF35E298A8FFAB9BBB4B0BAA814F0E,SHA256=697F67DB3CE3C84BD465899FDBDBDADDD4CABD2B1950C3063B5CDEF67EAE5213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:47.561{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:47.224{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8001E03AEC1656721F304E280CFABF22,SHA256=87761E1062E9C915D35C67C6F46B07E53884232A72970EE2F65A8CB4EBFEC04F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:43.975{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-24412-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:47.042{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:48.636{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E874A5BF431517E3864B43ECC7F639,SHA256=7FB3AC726ACD2211DBF7CFF0E07E1F71D4624404A6DA4E5064ACC599842FE980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:48.241{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A4572180883CA08D447790676E27CC,SHA256=0157B299D393D5B7CAC902C5D614A5BE1FEBB5E4FC715085D968CFD0B1334B16,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:45.393{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61620-false10.0.1.12-8089- 354300x80000000000000001289524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:45.157{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-30471-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:49.651{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD47EB330516E29DE94826CC06B574E,SHA256=BE128521919343B69D9CE4522CCEB60CA894A20E44D400A77A3975A3652FDFB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:48.532{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51367-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001383261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:49.260{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B174091377D0DCB132C1DF31266C6CD0,SHA256=3B686A569778D74026F3F683CC9B0FA797B766F8E36BFDD36C5ED84434C257C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:49.026{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AB7F553154EE3EBDAEF3F1EE7A728F1,SHA256=2E1B564AFF17AE57928DC6E92E9DBE6CD639BCBB260B28BBADB0DC4A7E7823B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:50.667{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26A050BF0546A493C72A77A3EE7F1B8,SHA256=263AD49F8EB089D5D794EB366236191350A30DBA4CB049393217DB88E767510F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:49.132{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51368-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:50.275{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD460F8938DB164D90736D4239445B0,SHA256=7CEAD1B123B886829786784C080A66AB82968823FB725E8019962D9B6FB410FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:47.414{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-41713-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:46.267{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-35789-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:50.151{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=309E920B03BB15E5B7F5618A2AAFE13D,SHA256=BA20957BEC63BDDF1859791ACD8771A80B206D17E5AA6C2426FCFC4B50AF95E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:51.682{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615BD9CE9F011747D1FE39385B9F279F,SHA256=CC6EEBA14CA1EB68313D4C4BCAD2B3D07D2A46507E3EBEEAD908909C2BBED82A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:51.321{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B08F882EBDF3AF46BDF2384BD091283,SHA256=9F94D7EDF7F843F0C78F8E450DDDD6AC87890BF2410C12BC4B1D24CBCC2C8131,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:48.539{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-47620-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:51.276{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CADB908A38A0990E150DBD83D564F237,SHA256=B4350AC23B3065DA961895C7ED312197E683F8AF977FF26E7097EE8A480AA982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:52.682{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D5442508C157D643D1DFE166EE84F4,SHA256=540DFD701D15F59A5A687A67445A603B4D563DF5BF637A6FA6A4EACE681C83B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:52.342{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00770D0E0156E7CFE9E285826643815D,SHA256=BBCDAD1746F6E49D353FC66AFDB36B6C6D54269857461739507B9A5246B578BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:52.636{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8D09BE9F28B356F3EF5CBF6EDAB88DB,SHA256=592238B4ED55A4408AAF953D198764ABFAF812C82FCF5B86DDCF4C943639A9C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:49.702{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-53276-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:49.393{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61621-false10.0.1.12-8000- 23542300x80000000000000001289541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:53.761{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB0AD0FFE379D084855345A5DA25B104,SHA256=B2BD5A9511BB922A51CCEBF056B161060406EA7705FCB4868112B7BAE7AF624B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:53.698{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C49265FEB5792235127112E3478FB9E,SHA256=5362C18EAFA2972741B0DF038B85633C993C00290F55F5790F18D4BE849AA7C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:53.356{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3B8B53C7A2964F382AE2BBB760B830B,SHA256=33E46BBAD7CA916A1401A71311EB71BEAF8FA2A9C7D2385886909B154E4CB0F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:51.012{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-59772-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:54.839{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92D96ABD1804C40E5F24F8C37909D95A,SHA256=83E57DA9F1D4A697C7CB4DC228F81E400688DC8853D7998DA58296D60513CAFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:54.714{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA95F7A32B1184B25EDABC73EC62CD8E,SHA256=1DD1D01E9BFD05A92FE5B21BB868210F67C2107854D92CCE5C7B306B607F96D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:54.386{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE5C9E9401241E08485A73A1D04D755,SHA256=17141A989778D8FCB99B3AB3258449306575DDAB7A2FC83BD5430255F69CBEE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:55.995{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F56BF5F5976B3E6B3BD4D18938DA18B,SHA256=44BFCF5C410122672D59A25F7400883AF65387C8C7C2507DF4DA8C0E8C693F73,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:52.132{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-6827-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:55.714{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6A303AE92F1638CE82EA1E66876BA7,SHA256=510C0D2F56786C1096F07D5F8D32D38263D96EA79B7214979500B6C05C240CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:55.554{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68E4C65190A1E7AE35D5CFC588FDC538,SHA256=0862A6B001B343D79B2596FD4039B6B21CA6C5ED3BDC3DC252EDAA4709558895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:55.554{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19FF3D1B4707E05D4AF46766BC299413,SHA256=CAA1CFF345BE384446E7612A857B95CB943EC1CF1DA3C17FC7785343D6095B7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:54.477{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse23.88.33.85static.85.33.88.23.clients.your-server.de59134-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:55.417{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34EEBFF8FCFDAAF2CBA6C7B70E4CDF7,SHA256=91E2CBCAC262E640F0EB891E7EEF44217A894C8AD9F87B0F6B48ACE469707B3D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001383271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:12:55.339{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001383270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:12:55.339{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001383269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:12:55.339{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 354300x80000000000000001289550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:53.236{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-12273-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:56.723{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E638309A6B926AF579EFF2BAB3CA91CB,SHA256=34A1D60C35C90D0A3C2DE827592E7539796119FBFABF5D2A30B10B2048525746,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:55.164{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51369-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:56.500{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93F379AF0F7CE07558CECB122E01B08,SHA256=2151D6481A147ED91F557659F18A085A827359C03671D357055902EE813A14D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:56.517{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5713MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:56.347{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51372-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001383283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:56.347{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51372-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001383282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:56.341{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51371-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001383281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:56.341{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51371-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001383280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:56.327{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51370-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001383279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:56.327{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51370-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001383278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:57.514{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9C6002B378A5A9238422D7BD2F65BB4,SHA256=4E991BF8DB9368039DA4696CE20B0950D464C58EEEDD9A0F1C8E5D6F9EEFF1AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:54.369{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-18046-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:57.728{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD496E8E54B0714EA0008E75164E137,SHA256=E9E1516246FB38AD6A49FD723596072D3F795EF39557B770C94B540C019A6C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:57.521{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5714MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:57.129{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C1E3A4F823BE9CE345145DBE39308E7,SHA256=5F9BA65C6CF6DD6DBC2FD7E08D947E2B624100466D242D2E6E3BA7C7A6B624DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:58.533{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B009A5BFF3DF05216DF6482A9FA8CC9A,SHA256=9962060CC10B375C189F5706AFE809D504EFADBA986B9129D0A1D64521E8498A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:55.505{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-23856-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:55.403{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61622-false10.0.1.12-8000- 23542300x80000000000000001289556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:58.731{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76082D8F369B206CFECED3A3FEFECDF1,SHA256=71D75D2ACDAE9DB24B3583C463AC37098A4178795369D4B57E2F62C00C446936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:58.262{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=542A67E092A83C5FD11634779CB5C3DB,SHA256=1554A3ECE6AE4FF1377C3381E8E83F96971F574960625047A2D7F9A4D4434CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:59.747{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD14A7AE61F90CFD19C4B1C95E089EF7,SHA256=BF9B419FC74DC7DC26C1D3A4695C603F3DBAB594336B4A5387523C67CD5AAB7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:59.550{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292320134544608FA7C89E237AD8670E,SHA256=DE96FD14AD31FA732D8CDD1775C7028C7403B1283D7FD2659562C642D51C16D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:12:59.515{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1396MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:59.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CADBFD436004DA699DC1702F4DE12B9,SHA256=1838590F90E946F7658CB4812014B68BFDD64FBD20EE43A0A52B7158FE8A655A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:00.762{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=283663ED10DBA2CEC06CA32C83C70EB2,SHA256=47A4FFCA2B5190015850978504B6B24C34D68229FE26E7CF1568282D7A48D6E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:00.580{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E2F9732FE41154A5368A7FD307B05E,SHA256=FD30279CEB7FF2E4AEA7C5807CB22D6D0C6CAE01A79A63C6A9612DFCED5D605C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:00.512{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2286352E76E31E027EE21D90B4042180,SHA256=D029BDA400C8C3B49A38FF459F7BE22797275519FFBC1350F5E9F55B75D76934,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:56.655{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-29164-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001383288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:00.529{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1397MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:01.764{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA14630CBDF301120508C327CB4B7C0D,SHA256=CA73F3FCD7B3E72ECBDE814EDF818C9A7DC8157C1737BF7DEF606F3F927E277B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:01.581{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6763A1842F39A3C5EC1F78D697DC765C,SHA256=BD13F5AD30A61BDF831E0995DDFD945C82AD162A17E32234B46770C8AE983FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:01.748{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88FAC5D36C7B712117452FD8F9289F92,SHA256=6CB2BDD351FF3BD3C1263224CE16CCA4449B010C5E2B785F699720362F68FE01,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:57.774{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-34622-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:02.857{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C731C9CA0817D141B3EC76ECD0E0DD7E,SHA256=EECCC8F7567752718C2167ADC13E4D730143B004EB072770C2CCE87F855D2F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:02.842{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F95B05B13237C8E24B78F9450FA70D,SHA256=B186284D47D6DEDBB64AB281BF918298AC2EFE3300BA8AE4C84A252DD892AD8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:02.633{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A530E38CA53D5395594E47EF14224C,SHA256=B4A283CC81CB6112B71C313CC71B09F6CB88B7F6A473592B82CB0302F5BD3860,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:12:58.896{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-40611-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001383291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:01.174{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51373-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001289571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:03.982{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1BA96BA0AEC817159B4F1279D9FAE0,SHA256=69ADB99C4C283A40A1FDCBEEA432DF8F826E69B313C0E7DF9E8EF1B1D7D16B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:03.982{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34E3088F4FB229C9C5FCC7F4FD5D296C,SHA256=0F419EFABE37EA61C44459D4661EE8387E0C740C19C15A2FD1E251C628F77B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:03.664{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CECE73E5C123DF9B25E2DF3D070135,SHA256=E4E04B09D2D4193CDFAD787845F127CF48B367064FEC95FE50F7A77F5B1ED75A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:04.678{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1484138DF381AD74D98645D60DAB227,SHA256=D467395C3E691B62F7B61DF1C600CFFB858C440DC56999768A340CD518F3D9D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:00.428{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61623-false10.0.1.12-8000- 354300x80000000000000001289572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:00.127{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46414-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001383295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:05.679{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19DCA655127B19D701111AFB2430C0E,SHA256=4D3B0363F0CB49D42FDECFF6FECA1670C7F0340F2AE3B8F8E58A659F910F3BBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:01.242{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-52014-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:05.154{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3CB73F32A0B16C9CD36A6A691C4F4FE,SHA256=A2CDD06D27913301FC8FC8FF67E676E6BAB373996C5D015DE70C9EFA0691C481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:05.154{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C0A697A910462D15BFB310B2F2F063,SHA256=141D2E22AF2E2BEF315D5393D7C67B758BFC5E90D24A528BEE019C57EE9C28D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:06.694{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E09606FE372EAE1495AA5AB40B19616,SHA256=39151BE3CD3DCDBFF7CF87FCE308D8BA56B884B51469AF965C7D064EA49D3F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:06.295{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D179EC37E83A1756A5E8801C5AC9AF,SHA256=AD600CC46A244148E2CCB4C5D2D2D34B674D93F2220ADFCC15EF978F08ED68C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:06.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BA4AFBCC29BB375F0390CDB6ADF2024,SHA256=88BABCF2B33E1429A2BCCE62D33AAD6352FC7F4393A1E25696D69336B33800DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:07.708{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B67D1A1AC0C30EA7DC7B11D8D816C06,SHA256=27CC30064595884661DDED9EB6CB50F62A271532E64A922F414E0F86A08D1346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:07.514{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=805A720BCF0A79EA7145A20273DEFCB0,SHA256=9CEB6C7789D0AFE763AC69239288C0AAB784A23D43C7F634A8299CF6899B02FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:07.357{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6BF33AD43EC8E50DCEDE6E7BDB1BFCB,SHA256=5439E77D9DB309215C1A8B115C63143184B2BDD79408AA50784BB699472B40B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:03.541{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-4699-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:02.395{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-57611-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001383299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:08.726{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3031489B2D8A8A4958125C931E195F,SHA256=FACFC590C4F93C80EF97CFA21C36D513FD6A9E3BB0ABB99082FDF13A787982BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:08.592{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66F2F85BACEAE12E6E512380AEFCD76E,SHA256=3B83DB8A6D55DCE15221C8F7AC734626F8A420A8B01F9F164402579652E17204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:08.592{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5565802E3ADE20560A032B68773647F5,SHA256=87FC2328031EE6C163C3255A65C48BEF4AF17018AB5AB27E91E95FFBEE2E4F84,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:07.203{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001289583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:04.695{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10241-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001383300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:09.745{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A75580ECCB6A4AF0D60C1A555AD5B56,SHA256=054AD3CD61247A63E247108062BE2748CA456615F9F315368871E39644560F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:09.686{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1056EDBD2CD5FF3B6907F6F8FD2CE67,SHA256=DC2827F1EB2B6B0D361924647305BCAA11CD64D51FDD2E36A6A3F5ECD77C0110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:09.654{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB12FEAF33D6EA39CC6E22B73B5FE97,SHA256=F9C1338C59C5EE0B47B5D85DADABA38900BF2768514B49EDE203CDC36271A510,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:05.885{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-16344-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:05.576{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61624-false10.0.1.12-8000- 10341000x80000000000000001383319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.830{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DCA6-6152-5228-00000000FD01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.830{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.830{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.830{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.830{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.830{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DCA6-6152-5228-00000000FD01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.830{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DCA6-6152-5228-00000000FD01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.824{5EBD8912-DCA6-6152-5228-00000000FD01}5856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.808{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=591EDF79669F8A25345D7618BAF8E900,SHA256=3B39D1D89E8E1C9C6C4F51278B993E026244B0EBFE6B793DC0C379B59CC6499A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.761{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA06C3ED9BAEE8652B1C2125C9EC831,SHA256=65C0CC10D5A3EEB948EBA0055546A0F1F8471D90D9CF596BE173DC4C09525338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:10.811{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=078032A37233913D6C9251151E1C29F4,SHA256=B292022BEBB396E57137767A56695AFC270A88300C6BC385B744011B10BB3FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:10.670{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47FCF743849D9A23EA35590576B7BE6E,SHA256=5CC5325787CDDC32F9B8AA2ED67D40CBA2ABDEDCCCD100A697FB6BC125744A0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.393{5EBD8912-DCA6-6152-5128-00000000FD01}71004036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.160{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DCA6-6152-5128-00000000FD01}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.160{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.160{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.160{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.160{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.160{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DCA6-6152-5128-00000000FD01}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.160{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DCA6-6152-5128-00000000FD01}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:10.161{5EBD8912-DCA6-6152-5128-00000000FD01}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001289590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:06.965{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21937-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001289608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.779{69CF5F33-DCA7-6152-48A1-00000000FD01}24444016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001289607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.686{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3D4AF62D18D9A99DCFD79C315C47BD,SHA256=437D63ABB8E2047821D95E817F339CFEA68B154D4798D40E9B6AD53B71D39A7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:11.776{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D2C72D7239E36A4A1D7FF90DC2B4C5,SHA256=80AD2BF43195D635ABB61BF89EA3DF1D2359699CD5C7C3BB29F082555C921105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:11.176{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D8925CCEC9C19B9C70AB4B2EA324DA3,SHA256=5774557265FAEC25F384CE201F0A55EBC1B1A441D6883EB203B6F93500A1F53B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:11.176{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68E4C65190A1E7AE35D5CFC588FDC538,SHA256=0862A6B001B343D79B2596FD4039B6B21CA6C5ED3BDC3DC252EDAA4709558895,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.373{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DCA7-6152-48A1-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.373{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.373{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.373{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.373{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.373{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.373{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.373{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.373{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.373{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.373{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DCA7-6152-48A1-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.373{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DCA7-6152-48A1-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.358{69CF5F33-DCA7-6152-48A1-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001289593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:08.092{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27082-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001383332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:12.890{5EBD8912-DCA8-6152-5328-00000000FD01}9085312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001383331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:12.790{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819F7CEFD265AD6F0287C794C5E6ABDF,SHA256=BFAB0D14D72353854349BDA967C5E26E593DC7BEEAFC5D73AF7570814D38E105,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.717{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DCA8-6152-4AA1-00000000FD01}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.717{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.717{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.717{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.717{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.717{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.717{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.717{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.717{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.717{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.717{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DCA8-6152-4AA1-00000000FD01}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.717{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DCA8-6152-4AA1-00000000FD01}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.686{69CF5F33-DCA8-6152-4AA1-00000000FD01}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001289624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.686{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC59ED33542AF88E4CB4A9EF4C76E65,SHA256=7B7039F6AB8C4E2C79BB6CBACC7B06C02A50F2709A334C93FD5A4CC74CF5027C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.201{69CF5F33-DCA7-6152-49A1-00000000FD01}976580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.014{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DCA7-6152-49A1-00000000FD01}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.014{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DCA7-6152-49A1-00000000FD01}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.014{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DCA7-6152-49A1-00000000FD01}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.999{69CF5F33-DCA7-6152-49A1-00000000FD01}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001289609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.998{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B04CDA87EAE67DEBE78047DF323AA9E,SHA256=112689E0104236D58150D1F0FB5A9B635CA963FFB7B9495881DC7D9A8DE804A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:12.727{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DCA8-6152-5328-00000000FD01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:12.727{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:12.727{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:12.727{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:12.727{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:12.727{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DCA8-6152-5328-00000000FD01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:12.727{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DCA8-6152-5328-00000000FD01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:12.722{5EBD8912-DCA8-6152-5328-00000000FD01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:13.827{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E76B8368BA29C58C6E5C1DFA4CC95E5,SHA256=413DE10FDE3B55632B9A4FF5BCC48738246F745DC2138AC6F101CFF3B587F287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.795{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4012DD66FD10B6620132772B652168BD,SHA256=5B3201A695B65720A2A70AD2618EDA7314EDC4C7276C8A8D24CB9C7E1BDEB5FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:13.100{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51375-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:13.727{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D8925CCEC9C19B9C70AB4B2EA324DA3,SHA256=5774557265FAEC25F384CE201F0A55EBC1B1A441D6883EB203B6F93500A1F53B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:13.427{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DCA9-6152-5428-00000000FD01}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:13.427{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:13.427{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:13.427{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:13.427{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:13.427{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DCA9-6152-5428-00000000FD01}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:13.427{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DCA9-6152-5428-00000000FD01}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:13.421{5EBD8912-DCA9-6152-5428-00000000FD01}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001289653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.498{69CF5F33-DCA9-6152-4BA1-00000000FD01}3228104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.326{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DCA9-6152-4BA1-00000000FD01}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.326{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.326{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.326{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.326{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.326{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.326{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.326{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.326{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.326{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.326{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DCA9-6152-4BA1-00000000FD01}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.326{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DCA9-6152-4BA1-00000000FD01}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.312{69CF5F33-DCA9-6152-4BA1-00000000FD01}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001289639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:09.214{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-32909-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA28D359DAA64C50B2C27668F4978631,SHA256=16B88477254AADFE77483AC8E558106C10D680286768DA80E0EF55446ACC05E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.920{69CF5F33-DCAA-6152-4DA1-00000000FD01}700828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001383344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:14.842{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A22B0FC53C51E5A2A011B59F1C5DF2,SHA256=5D85F829A61ED5C523861DC204F39BB60783F30F3B84B755FB6C79A58DF1D97D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.701{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DCAA-6152-4DA1-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.701{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.701{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.701{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.701{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.701{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.701{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.701{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.701{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.701{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.701{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DCAA-6152-4DA1-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.701{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DCAA-6152-4DA1-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.686{69CF5F33-DCAA-6152-4DA1-00000000FD01}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001289669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:10.414{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-38828-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.357{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3DEE824DC952EE4ADB7083F1C275A02,SHA256=D1227757DC7A6E7956E9E642A8BACC55E92F0F6CBC25164625BF746210C38A03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.014{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DCA9-6152-4CA1-00000000FD01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.014{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.014{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DCA9-6152-4CA1-00000000FD01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.014{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DCA9-6152-4CA1-00000000FD01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.999{69CF5F33-DCA9-6152-4CA1-00000000FD01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:15.856{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3687F602A06A8F3E40DF8AC36D6F8978,SHA256=F1523570D6A7B86A1A8E27553D9244FE3E52DEAB93F90CAF00E291FAE97C8E75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.667{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44492-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:11.568{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61625-false10.0.1.12-8000- 23542300x80000000000000001289685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:15.498{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6430C46583EB2CA2272393778023E4D,SHA256=E6C42CC8473C840B1B3E779F8057E7502EAB0A7AEA44264228F2F85EC35D0AEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:15.185{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32DF7CAA9F6E4A6EDEC9F0FD8123645,SHA256=A9071473A6961926127443C6639A6D546526195FA2BF6AA33151ECDFE17BFC1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:13.851{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com41035-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:16.870{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F3B998CEE2CB9E5A88E0B959C1DDFE,SHA256=E1210056FFE581C3289DD206D03E4B875C832C69D7A96C7456A1475E2E56478F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:12.757{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-49903-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:16.623{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92BE164C51B195438B7ECE7FF82F5B7D,SHA256=F0E762A175B9057D1E5067E8E60EBF98B5643036C722DED4F6007A259BA8DC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:16.154{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECD75540B342340280B0B89586891AC,SHA256=E1AD76A1E68211A7A5CE1C534764480710808E4D78967A0643AE6A283092C679,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:16.823{5EBD8912-DCAC-6152-5528-00000000FD01}5881192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:16.624{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DCAC-6152-5528-00000000FD01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:16.624{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:16.624{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:16.624{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:16.624{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:16.624{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DCAC-6152-5528-00000000FD01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:16.624{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DCAC-6152-5528-00000000FD01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:16.618{5EBD8912-DCAC-6152-5528-00000000FD01}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:17.885{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DB6926E10E32CC114FCFE7322D27F47,SHA256=E8F77B3338F5FED66E9B0377C662F4FB3B20F92447257FC2CF3E386CB9CE295D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:17.713{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D4E64BE1A9B6EE83B0F1BAF3CE625F5,SHA256=EE7673C32A60369FB09EB15F60456B1255AFF5B173472A1158CA2398DDC898BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:13.870{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-55132-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:17.201{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE765EE45459C86265DB0704DAFC640A,SHA256=9FC2170A8756EEC5BFCE63AC4E99DA56AA53A2FE64493F8BC1E508817660EFDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:17.654{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECA057448FB195901EEF8BA5121B988A,SHA256=996D282F43B5C0C9FE98F41EE1DCD1F9F9B486B99A12D5CD17C5EF77071BECFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:17.455{5EBD8912-DCAD-6152-5628-00000000FD01}66362088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:17.285{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DCAD-6152-5628-00000000FD01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:17.285{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:17.285{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:17.285{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:17.285{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:17.285{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DCAD-6152-5628-00000000FD01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:17.285{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DCAD-6152-5628-00000000FD01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:17.286{5EBD8912-DCAD-6152-5628-00000000FD01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001383369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:18.163{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:18.900{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DEF8525480EE4CDC5727BB18F3AF985,SHA256=6B78B39B7D02699053363D7E76C9923D8EE32590A553DEE1B1A66D7CCEE477F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:14.996{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-1975-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:18.213{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF07DFF09E5A026296D22D02B644575,SHA256=8927877C93AB935F1A883F78454B435E27F8D6A1546366F92B77ED34968B1B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:19.917{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59A6FE303CB3420A44A315DAE225B59,SHA256=BC30CD2649B5F8432632DADCD7020B528FFB0E0B7A4EE68F49172AC82D2D77CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:16.105{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-7487-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:19.213{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961F5205A0BCA7BC9E47AD54042C2E2E,SHA256=46048F3B5530C4A94E65EF2D273EED4231E0808CF631BD62785AB5D37560D517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:19.025{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAF9D08A2F52A2EEC7730F45D39A5262,SHA256=065AE0B2C11E9CC3C414EB8AE2B71D06CFC17541B907F0C768F87D84F1934BEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:17.486{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61626-false10.0.1.12-8000- 354300x80000000000000001289701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:17.449{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-14248-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:20.322{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05C7FA7B8DC074DD3A2B5F251E9D1E2E,SHA256=870AFFBD1147C2E085B44A9DD74E8DD21F068C7D39B1A3F150A2ED61B7A337C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:20.228{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4772BBA37E08D9D42FA157A8387B1B74,SHA256=B3BFD1A757198E056DEA60DE3C66D41E8CFDF67173112F265A25338F20AF3296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.539{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEEFED17FCA3DF253A56B3DC112E2E6F,SHA256=1355B2FF7C499A2B0C4A170A5FE36EAC817970025C95ECCF2EEA20C9BBD364B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.286{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:19.998{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DCAF-6152-5728-00000000FD01}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:19.998{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:19.998{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:19.998{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:19.998{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:19.998{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DCAF-6152-5728-00000000FD01}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:19.998{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DCAF-6152-5728-00000000FD01}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:19.999{5EBD8912-DCAF-6152-5728-00000000FD01}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001289704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:21.400{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C38ACC2B43653A12510F181A8A1AF99,SHA256=C3D7D0D2D1933355D72039ED2079264C7D15DED3B1E56DAA74B16619B5C7A8D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:21.353{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB88AA626AED5B36F0646FEDD0517CB,SHA256=872437C43BDEFAF0A333A710520120CAC76C12F18A79C63187B2236A0B17A9D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:21.670{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=401FB7D9AA9C927088DA5B70F3BE801F,SHA256=B1B5E90B28A30788208DA57196B52FB5E831D6B6FE943BBF2AC00DF1E87C05A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:21.186{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081BB896CC6F552B02BC3304CB8B6637,SHA256=56DEF327A24E7A1D1FD6E9763E4FA709B371CF04ECD73F933DA5B625CD6D5477,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.267{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25448-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:20.220{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25363-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001289720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:22.603{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DCB2-6152-4EA1-00000000FD01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:22.603{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DCB2-6152-4EA1-00000000FD01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:22.603{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:22.603{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:22.603{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:22.603{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:22.603{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:22.603{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:22.588{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:22.588{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:22.588{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:22.588{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DCB2-6152-4EA1-00000000FD01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:22.557{69CF5F33-DCB2-6152-4EA1-00000000FD01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001289707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:22.556{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4A876AEF6092FA725717F72372F270,SHA256=A953563E4BE34BE27D6286E10577BC0D526CB8849F70CC83E1108866CE7024F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:22.869{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B41CEA8A924DF9926B26F2CD5F8FD343,SHA256=3683FEE8C1AD9CF2A5783E9B3DBE6E92DECA45B6A0F37512C72CADAB99FFFDAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:22.038{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDEA0944714577490D586A86BD5632D4,SHA256=B5D0F48840B676527A96E4D2F234A86943086871DCC12EE8384DBD47E618D572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:22.494{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54266696A8F8E2AC8F688A9CB4ED8A56,SHA256=7F74E5920393157ED051500E88A05CC7AE39A57AB52D20B0FAB4C53E5F376A14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:18.694{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20345-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:23.775{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C0A522F351C913F05E2516D7D0571F,SHA256=054E82A4A6A711E30CA1A63FDAF7C446FA9AB0C33FC120FC9AA88F25586E973D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:23.775{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=415D890FD1768C22C6BCAD813F807253,SHA256=86CA219360B50443BD886D35F9334F1C8543B25AC383260CFBADAF81FAA40E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:23.953{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DE91B59E8BBAE96F63261C92CB1CA91,SHA256=03A96CE131F7F80EE7C73E282D554DC4A3277E9535E0C178418F1EB6376DCB49,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:21.567{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-32483-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:23.054{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEAC12E959F338BF82650B93836AB808,SHA256=DEA1564CF5C2A7C69E660DE35BB9DB52A7E01FC4E7ABF303B48F083FA21095DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:19.772{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-26253-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:22.131{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37923-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:20.912{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-31750-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:24.900{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B91A76D8A277B06990A09C1A9E9DBD,SHA256=1319FD40A09BA762888BAE276D2D579DD1D8CA84A6D263DFA6F9B6C232DAB028,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:23.882{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-44780-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:22.760{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-38729-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:24.068{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9297181BDA6D541D318F1AA8B48A3ED,SHA256=37FB518E4CA2CECDF0F40A2E007F4D04BFC266115DBF1155142C805037F8E780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:24.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5FAEF9C43CE8C3FB52F2FF7B57164C9,SHA256=289C903D5391056F5B7CD9652E221349C73FA5882E9B5DBEFDC9206211898999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:25.994{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C56B6AD12A9D04F390999F44BF7FB6,SHA256=0E68DDC5F5D254DD89E415496EB8875A4E6359B7AF428E958A3DB22409D54D69,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:24.031{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51377-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:25.072{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88CE78CC495AEE06321427881AF4C8F8,SHA256=D0E45FCEB3BEC648B73F982B0E99170B320D541A8783BDD3DD844BC9F9EFB4B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:25.072{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=184E71C6D5FBF56E99C4A821AA56BCE8,SHA256=24EDC3DF80F23E3183D188A0D968C2E7A529B70C49632FDED69131FA2BBB199B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:23.408{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61627-false10.0.1.12-8000- 354300x80000000000000001289730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:23.265{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-43661-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:26.025{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81C5D667908EA2B1115B646D50645E4D,SHA256=D84491CD14F10DABB086DF48CCE65F48DDDA859C2E46A77C54C3F91CE2326989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:26.220{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18B313E645F21A8C1B37E58356A5E8D7,SHA256=D566B19DFDFB381B4EFD362454A8E3691182EC10766EC33400A1DED59469EB8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:25.020{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-50731-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:26.102{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773DC36CDBFC58E89480785BB7CA7FC3,SHA256=5E3CD43E3DFC3DF7A6389FB341262BC3D2A589874A18508EDB6F6D58A4B1268F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:27.301{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=731769984612082086D32D1DC2819931,SHA256=C025067EF21F18930F702DA7CCBDB9B1BAEAE8E05881336B6E7D9433BAB203E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:26.118{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56496-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:27.138{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0496A8EF9B8A68D3088511CF69B553,SHA256=AA2E1E7AF1D8863DA1CA332CDE477F8023C4F024973B769A58F45B2CAF30012B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:27.181{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0F2B869E3E608C3F28E4C78AF40D3CB,SHA256=3688C07DC099BEC8A2E645F70955345B4029F996C6BD0E5EE0ACF235FF09936E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:27.041{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65AFC973A06928E7757C1D8AEC66BDE8,SHA256=2594032AB6613D691352FC57C470B42A26DCF657C3F4BD9E57D54ECC7F40FAD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:28.420{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8B5E553B1677A4E2696E5FC3B570ABC,SHA256=0C64D8B62169BEDAD05AECAB0964B8183EDE69D4A13F84E1A518ABB35644E63F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:27.231{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-3514-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:28.168{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D908C9A712A38CEAD1AA1DBCF2B3DD45,SHA256=E665C5338E3FD4DA5CAF785E45D4572140E080A89E965A6FB47BD063FA506340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:28.275{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7410E9355ECD49F3A4B0829915BB5AD4,SHA256=3019C4C63FE1DBFD3962F30399E328ABB35F04760AB435BF465B1CA4230D7668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:28.041{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247946DECE504E2684D8AF555B342D2F,SHA256=806C1E60DCF7CD0F83A5ACE310B821D6AE8FBD8F7FAC5A885FC5A3E7B401F67A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:24.412{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-49321-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001383437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:29.536{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C64E52C2FE7818EA422D33ACC5DC531D,SHA256=1571B69D14613746A4AA75974DC1B4FC1C2EFF038FE3AB497659F2D964507221,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:28.329{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9384-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:29.199{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A993F50C98ACA6691B9B8A1950B55F63,SHA256=1B145B19DD52D48B558F7D56911EB0B11496EA097A827582D584D2688E50F750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:29.353{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A18D913B2DD2498B5873D1BFEF80953D,SHA256=55155E96EB94D7C5ED8F5B0A8BD1F58292A49FB911ECE2AEC24A03D444919F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:29.056{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1224DE31BA3D0F64EE85E76FF15E48EA,SHA256=292C1F8DCB6443F95C7898C00B61A94019CAF5DDF56D59D44602810233BADCB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:30.653{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22A215D7057B32D2976648D94641CD3B,SHA256=13C0FB5CF0EF26EC9BFA8BF84A65A47B840D82ABD6F49EA0B1766D283FF92FF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:29.209{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51378-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:30.201{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1732678087F54E2CFD440E681A04A4C7,SHA256=DEE130F98B3C7AD0AE3A066BD0272E850125E09BD40118E5013ED0CBAEB69C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:30.478{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53EBC9606006995228BB424223206173,SHA256=55B6601F75D225A42447902755BF0B578BF5693A59E6D5BAF982EA92CC565864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:30.072{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9AD1CD10ECC226696364B9D1FE6521,SHA256=7E77A186D2AFC037383B8CE27343A3EF613C0FE65F82934E46E1BED345B5048D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:26.646{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-1496-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:25.554{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-55119-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001383443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:31.737{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2BCB700A93C57E5F0C500D3963C3B1B,SHA256=DC193783A45239B5B2B7F184AC14D0EC79343CB6922531C9532A53A985C119B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:29.443{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-15338-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:31.219{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C13588348E4EAF23276ACF06C6A73FC,SHA256=622AA22D3D339F9CF5EB579338D1BB4E86838D41BA45435E1A0837CF7709783A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:31.572{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1F10E6E02C053EAF5F994BE93137469,SHA256=7A596B337C6C33E2F2BB24D46E79B52C2B311A8E6A84AD115AB4A39DCCE6ED43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:31.072{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241705A032EA22B95C2C608832875C18,SHA256=405AA6A186017ADD62E8BB0C813D3FBCA0A356D08AC2F4A245BEEB2EEF771AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:32.801{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E01914972857EFD13718C41C5B6431F,SHA256=739203EC185DB15F4310D0831EB4EFAD9677AD81386F8C7850B9031CDAD1C23B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:30.564{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-21521-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:32.223{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD051A54484172EA5E16D17531507981,SHA256=F0B9F9EBAB478346D0D221E9C1693A62891CA029A16CE5A878384A3A81EC123A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:32.650{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=235D9BDD7A8288A5F64D5E465C43C5F0,SHA256=84F5FB23F8F9638386463CDB8612C25D6BF2C04C028C927CC0C3A4A5C6700939,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:28.517{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61628-false10.0.1.12-8000- 354300x80000000000000001289746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:27.740{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-7255-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:32.088{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1748AB0FC5EB00E6C3C311B2B071341,SHA256=2CC97B7C1B071EFF8677E8B0D7094E4F23E3EEA90EF887F2B96C0B094A38A965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:33.728{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1995C628F5FFAFF70D176A67D8B8D112,SHA256=7866000114112234F57875A6107314ADF7E6EE6B9E65EAE5CE5662D6A40CD36E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:33.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3B67DC4FD6BFBB2ED97E5FB9EA2672,SHA256=3C9CFA56C5AD5D46879E7CB55582608C26338AEB70CFBFFD040B648B654500D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:33.900{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70DFA9D95A87A804D19D56D5FD965D53,SHA256=778E225AC5B6E25E86AED0DC6916A7CB5B97DA82AFCFB7B0E18535EE0D3BCB4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:32.751{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-33139-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:31.668{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-27462-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:33.238{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69FB7B45FA4C7B70458F34A13261A216,SHA256=FE83B4A3F206BC54E2CA570C24DDCA05640832C18717BE1ABB84D0CD80CD53C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:28.856{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-13085-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:34.822{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5769AEE7D2BADF341F2259A3649C7BA3,SHA256=7DAAD9FD152C276B002CDBEB9788855A590330BF0B54CC843AB85884C3549E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:34.275{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5161E91355AB06C230D5B40B6207ED49,SHA256=75956054A90CEE846680AB8A7108B4484443EB66506617E1E3421A73DB957EE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:34.983{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F18E505B5304F21986A17E94E2AE9644,SHA256=9D3D141D90D4DF8CB25098B099C5DB4D04A5B61B14EC556AAEFA8FFB99C89AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:34.252{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7380A0CE4F7B78B77F196D182B18916D,SHA256=42FC1EE145C6766BE899A2FB18C26BB756307DAF69EB88530E159C16A9054F75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:31.026{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-24024-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:29.945{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-18333-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:35.947{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2AC3CE8FBED9E73B373BA957FB6E401,SHA256=0DDDF9A9C24F6DC335C604B5DAB90CD3D2E57A2E07A9DF4C4546F7F3B4F757AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:32.116{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-29455-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:35.478{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F85206469E01380D010A3EFB5B6A8B,SHA256=BFEF65F8220554610E7310F17905EFA2F14BDB5526A67485D81659FB547218A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:35.030{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001383455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:34.914{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-44877-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:33.830{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-38995-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:35.316{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D98E791F82DE3FEDF5836896D16DB5E,SHA256=D98FB40518DC2BFA75E89A7020E8B1BE3BC84E6EA4FFB0DE32D0130724B0CFA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:36.494{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D34B163AB1B85D78A624ECBECB31C6,SHA256=2F3DD962DE1981764580A17EAE31D6E272D58E00E20B523D4D361D55C84800A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:36.366{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31515AA66C432B02201A2A4EE861E12F,SHA256=6004050140AF21731254C5CD60DB302772E3CAAB1D03188484B0EFFD95813C81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:33.208{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-35011-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001383458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:35.996{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-50844-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:36.066{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AF3AB68CCB5982E32B7ABE571ADE4E4,SHA256=001A29FA92B763049C647585A8D06EF37AA6934ECF1008936431206C2F214D5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:37.717{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDEC0C7497D38C75D6B941CFD80D4B6D,SHA256=98BDC8A743858D0FB3CCAAC0CF72ABE34611188E1ABE0D6BBB3F58077A5B0E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:37.396{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBE2097BC5061B770BADCABAB85B60D,SHA256=8CC21ED46B6607490AD8A462E29E3F64662E13FB676E4D8C4F25617AD32E3D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:37.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A56D9A837C374BAD18BC9003ECEDA026,SHA256=4E8BC51D2003B0615776B287BE0CF918945449AD03E1C8471AD835393592B03A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:37.149{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=644D1DD0E0A07D0F9097CF414FBFC577,SHA256=2AEDF8C2D77EC474AC9FDA6698AF7EBEF9487A419D4D8189FA8B98B082EC4B87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:38.732{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09FF957004AAFEFE57B02290151C4739,SHA256=8DB2372A8E473D1EE80B9EBDEAA581FEDB63E23BF4A7D2CB4CE969EF97131684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:38.415{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C0D4A75ADA5E343B7C25B9FBD844A8,SHA256=BC41A4B9F6029A7FD0481B11E66E23B9D2E9040552B85151052079CF429F2DA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:35.507{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46737-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:34.423{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61629-false10.0.1.12-8000- 354300x80000000000000001289764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:34.320{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-41010-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:38.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC285C3D5EFDCF82F031681BF94664CA,SHA256=BE4BB81DD3643BCFB3BBA2AD142EFE1847878273614F713C5B5B5B901EB6C183,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:38.177{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-3515-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:37.080{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56756-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:38.265{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBA5C16209706B3B96704E91B088B766,SHA256=AE94A058A7079ECDADF53397CC736103A63829AB5343B4A6A87B7F40A2987E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:39.748{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CE723AA34EA2CD3101373F58906CA1,SHA256=3C05FB917FBA445180153591A252581FD5F8C44201DB44A628ECF308E8C7EA44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:39.434{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905132592AEF036EEEC6B827FB814FB6,SHA256=7A654E18BC131687998A3FA52D981FEC0287C94CBA8DA6163B16E0FB0FE9EC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:39.435{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F05158301CDA8699BFCCB297DFF26501,SHA256=5CC3563943DC5F68F42EC4C4552C57E57A10D86E44BA008C5CFC3E93D5AF778E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:39.381{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DD5961DD19CCE27ECE7855EE32EF710,SHA256=9E7B042A64305E016980AA21FF82F6BD28CEF836C3176119AF3CAB60909B41E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:40.763{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E5A70FC52690F55924BFD31568BA3D,SHA256=24D784C8E8AE2B255A6C47AEBE20B96B21152C92E2F26365397A328E9602714E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:40.517{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=099A84272FBA1B4B1EF33D97ED0DA28B,SHA256=CCA4126B45BC16BD064123046E0F03D49F355B5DEF41D5261F977674D4445F68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:40.448{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060FE633E3BB692712B660266DFBB17B,SHA256=9D704B48CF245BC7D323B349B012352D325BED7E041FBC8806DEF125E0887329,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:36.644{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-52308-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001383469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:40.243{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51380-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001383468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:39.294{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-8993-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001289772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:41.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A87CA665F73EB13E11C26E56C00C19A,SHA256=0BAD289801C66529AFD2A0D83DB450BD988C6B3C676041048495752D8A2D1D6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:41.594{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7653813E80EDE2B2D66A4B0A8B5514DB,SHA256=179E86F7CB9175DE920B126755D940A3C35E03D1DC75884219A95BC3C1523FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:41.463{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E95DF3F2CB1F8891A1C5BFF88831464,SHA256=5929C9D0F19D66C5DDA8DFCA47A7EA6BE90E3BC3BA268072F14CCDE0B555F4F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:40.425{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-15937-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001289773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:42.795{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54EE198A04EDB4951DE481F40910A57,SHA256=E897085798A2B5D49CDD168D983798D5AEEE94689B2070A1589335170FBDC707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:42.677{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCE2A369A28E5144AB7FE67252DD743D,SHA256=E35A091677E2F970F8FD2FFA38F070EA21333D94FD246298D76C3AC272E7B80A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:42.493{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F5F708E84CE9393094DDFBB9C08BC64,SHA256=A08A006F244B70CC596766D77374A3AED08A4D1F17C4B6EDC4397DAE9F79A4DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:41.530{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-22665-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001289775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:40.427{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61630-false10.0.1.12-8000- 23542300x80000000000000001289774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:43.810{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3808FC0325763667AF27289CF5A64981,SHA256=8A661343C7F7802CCD64EA8CB2FCF9D7F948A8C302FDAD5901C32A90AAC9F98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:43.760{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=746F391EE1267474C9EA8996948FF570,SHA256=FF1B5C99523D6EA74CB4C9D5F139CE14FB2C07516B016769A70D5E68997EC336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:43.510{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4411F40B96B3883A29AEDBF9C7DD20C,SHA256=F44E32E8D2A2DF87EC1B8F8DB00C8956DD07C5A79175913103BDB7F243D62A52,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:43.025{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51381-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001383479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:43.024{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51381-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001383478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:42.609{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-29286-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001289777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:44.826{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD43B9DE38FE90B929762AEA363DC8F,SHA256=1C3C9E622A2752EFD17BA427241E658CF4E1F515D5C9298BEC00361B78C6449A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:44.528{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4523D33F367189F7E445D01E1DEF11C,SHA256=1AF3A946E62DB92912CCEA1647C6CA621C5EED8C2DD312236C711EED1FA86321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:44.279{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=99E64CB0FAAFFB3FE633D2FF13AF71B2,SHA256=4C5247F3DB24C623EC3F0BD08C67F072785BC3AA6B8C6873CB4183708A6191EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:45.826{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA0EE3A055B7C5C83AAFC0E57E0F08A,SHA256=697DDC6D11249885E85401C64D698763BDDD33711BF91D308AC5D2E9E23B4FC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:45.558{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF31035C2076B554E7F9D366E6B01D02,SHA256=249FA3003395F2ACACC94804B5C34F8FEAB83D9EB2EE817613D634B9D8889EB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:44.808{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-44084-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:43.691{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-36659-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:45.008{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA9936B1281655CA369E318531F9597D,SHA256=A2D21D4BD3082B0B45000CBEE695402564B1B3DE20059E49BC30313184D31072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:46.982{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7406B31B40ACB9A72159080A6DD6A5C,SHA256=D1184F650C436457BD3322C50E95ACBB2146882296EB8B541B8399CB506FB3FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:46.020{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52755-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:46.573{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC4A6E9A318F6CEFA571F394B96746E,SHA256=EE5C5F7D6930DEFAAA0A35F756DC8B331EC25A94CAFDCC3567D4B2484EE3037A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:46.089{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4CDEE26716D3699933EB0DC0F205F0F,SHA256=F77D4EFA3D59E43C74529A5F233574FED0047C1519965144945D903F0FDC5CAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:46.199{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51382-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:47.606{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0C8C569025F6E58097F5FB0E6BC160,SHA256=DE88F74C3C9B15F3F4E9994BBA72E703DA8B5EE684CAC2AFD4C10CAD8EBA9B74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:47.060{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:47.587{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:47.172{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20F562E21121E04A605178A02B97FF2C,SHA256=20EF53156F8B663F0E0FBFE47BADDEB625D88A9388479A5070D7C9362666AB75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:48.188{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-10519-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:47.104{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-2452-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:48.607{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193474C0D675223B6E7265BF2DF004A2,SHA256=03702370EDC0FED98D892AF61B873F69FC7B085B70EA15593F77A60844FFA1D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:48.201{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F470FDD1CBA9EEEA7B2528488A2A05AD,SHA256=5DBE440F8078D8E58AF297B373F571AB429E7430C8BE8F213C323F1568F8B055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:48.255{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09683733BF6AC6D8F3C725EE9506AE57,SHA256=22437A69DB1003888EAC186D55738601001208949197374D27C9A97EAF35854C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:49.285{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-18021-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:48.565{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51383-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001383500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:49.623{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D85546CA387ECA1E4E8D2E4BF091C0A,SHA256=53780F96C1F1DC3C945DA96FC7ECE6346296E44549D9367E67FD6D86F48F92F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:49.295{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50ECE1480EB19D04C11B00CA22A5FD71,SHA256=9FDD87376828029785DE758F54FA8351BF063AA37D84796E09BA68647AA05984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:49.370{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61C1108081D905E6EA1D579E9D51D2EA,SHA256=E9C01A3E9FC485914D918DE06E8AD8C0A302593383A45AB7AD55961F9D201D98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:45.443{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61632-false10.0.1.12-8000- 354300x80000000000000001289782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:45.396{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61631-false10.0.1.12-8089- 23542300x80000000000000001383504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:50.654{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68CF2221AD89343291ED7DCE0E0AB26,SHA256=D26FAD8D07AFF8677612CFE63157E022191CFFB8E55A8AF96CCBC87E44CD5F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:50.295{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F25BA2534426B620586A0162421DDB,SHA256=7E6D633CB8412E8B7603960822D818D4AF89B97B800E46EA46271313AC11DBFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:50.523{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21F72A27491CEDABDD94EE07784605AF,SHA256=53F851B547879D2E8D5B269996F45614F79F7440C683E214FBE6EA046B723EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:51.669{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFF2F85E13650BADB291AF94A645BB0,SHA256=79801E51CC61FAA5D9EF2BED9160047C1108A437DF87456ACA888800703ECBCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:51.310{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720367922CCD47AEB34261BAA933AFFB,SHA256=0024732F15EE3E66B78F1957887F8ABEAF79AD606A2AA7E9079B073F36033199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:51.653{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2BEEC04DC51DBE357825AF1B9FA92FC,SHA256=C08DB7C44EC8111D7B38633D711D37F986EB08B6C9614633A13C769388A583B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:50.417{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25953-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:52.783{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28B81A5A1C98E8E87DDAD3E4D9C9A809,SHA256=D639EE8AA953765E88ADB6A290853DA36C03DB7127B65B86460A52BD6FF9E90A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:52.703{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825ADBFA2C81C2C6AEE363A3C52BA977,SHA256=9ED7D2686DD47E20B477449B872941B19EAEC5816980C1D40CAA23645E51218D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:52.310{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075D8EE1615AA336F3E80685BBC23EBC,SHA256=B226872613F400EE10447332E4C7A5214398988CED0ED81652BB738519C7C84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:53.919{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46CBDAC755390323E2A39BA76D66161D,SHA256=2F75E398D13CF5471E71DF11BE664DD938C724EE4A6AF483B6A69D148CC7710A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:53.720{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A36D52DEB9326A49FBAE3724862DFE5,SHA256=17A9A9C10204D6A42D825C992D52AD99DE62B08F2802B0CE0030F67C52E634CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:53.326{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773FA1A6BCB73A97161ADCF8F9486B53,SHA256=74A59AFF68654DF04335474A7E75DF291E53EA813BCE9485A39DCF3B1BCC5928,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:52.016{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51384-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001383510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:51.552{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-33527-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:54.800{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC4F129AB0E982F773098818335DE5F,SHA256=18BBCDE63EAE7C81B0DF386EE7E3736E86B9B0F2E6A4CCDB2EC3610C37652C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:54.342{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=998387E57A82110FD79CACF1624F54C5,SHA256=2F6439ACC001CF523FE4BC46036ABADAD1584C85EECB4E469D0144FD0AF0B579,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:52.669{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-42273-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001289789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:50.537{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61633-false10.0.1.12-8000- 23542300x80000000000000001383519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:55.849{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778AEBBE1D7F20AA34CEDE7873C15CBE,SHA256=4B12147890752DED2B03A7216180BD3A0448E1BE7DED872158B4E9FE61C4164B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:55.357{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0993B3666FDCE70D803111DE5BDA6AF9,SHA256=6E30D77D9A49FC6E2CD3C1FB11E2C97136D16F20476112DAE66D6824BE11C998,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:54.935{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58762-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:53.812{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-50455-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:55.001{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F87DAB8777096D0AA5C51F73327E569A,SHA256=FF335FE02B287254E65C8F295F30EDF14A36C396D4B565801CEB7540D1970638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:56.865{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F456075B18A276C3B72647DE4FB44CE9,SHA256=8DE728A087CB80483F16D9BE160FE29BD8DF745DC4576B61970FDDAC4D6A4156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:56.357{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B098E9F46EC4CE4D798AE873C61940,SHA256=FBA63CAED2E92AAE4D03261B06397718F877E8DB3FE08C78D194D6879C5939FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:56.118{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCA9915F90134668724907EF547496A6,SHA256=A215FF993BB6D3D11D4D94A48EB36B7E91431128971CB0C6E9E7F11B2B2FD0D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:57.879{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CD5399795F677ABF65CD6B6CCD9D7F,SHA256=8E26108CB5636F90754CBD7B8A91B2E05EA20570A83DC420B2B6E55D19C5598E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:57.373{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19410963CF726B84FC6018FCB143581,SHA256=44F17101CC7A1D426DFF210C7AC9F97A252B6BE5D8EF51058AF374EC296BFDD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:57.144{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-15874-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:57.027{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51385-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001383523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:56.028{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-7563-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:57.249{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7D480A26578D76E09C82093AFC27D21,SHA256=53726507812C953E92113BD02A487DF938DB275C742ABB5A1F1A8D5BDD2A4906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:58.564{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4AE2C32AF65D1A44089D12616CB9E5,SHA256=D9806E9F18F2C1BAF96909949EF5849C540D9C546D8083AC82CBE453A2414784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:58.897{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA011E8935D18D8B25D7BB10FA696F8,SHA256=030A3A6DFEB16F34BF0665A29DD198F7616CAB291E73EB58BD6302ACDB14AA92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:58.498{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ACDFFC10E143236A32CFC88E32E346A,SHA256=AE294A4F3E6F2084FF68FAA4EF3BD9CEE8F5BB2A6EC40C5175DC9CEFD2C3DA2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:58.036{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5714MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:59.915{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2729466BC0577FED8F029982678D702A,SHA256=8CE38715B550F34953EA70F1FC2F62AA447C3115635DF97629D15770728B37F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:56.571{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61634-false10.0.1.12-8000- 23542300x80000000000000001289797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:59.569{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC83EEF5237FCE7488D68FC983935EE,SHA256=82CCE1F5755F5D4AF8BB1C0FCF28D523F8FBEF4EBCEB258C52C0D2F308D619AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:59.049{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5715MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:59.509{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-33302-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:58.407{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25265-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:13:59.578{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAF34A46F9E134239656A0CB431F312D,SHA256=33B2C38770D6D27F29A01A4B4F8CD726A4995F569BC8B6BD1945B08F0E8F1D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:00.930{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C42C88866E133C6104CC53F837259C,SHA256=DDC8D6C179E58DDA71D833363C8ED3EAF9B042820B59A7192023CD65DAEC3BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:00.585{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FC7D0A7AB662EB3DAB7464AAF1BD2E,SHA256=03DE53FEFFFFCB6B79345F209B5A07DF357C34F2270F1E79BCDD7BD1AD5D1684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:00.815{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C49E62A31BFFD27A45945850E704EBE1,SHA256=D9F5226065587DAC92319DDCA855B2C8B9A02E448B98F854E0CA4C1632A558D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:01.976{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC782F1E7764A59D2F6FBDABF5708E3,SHA256=DBD1F4FBB91D9A51A87AB259AA2AD7D0DFF819667B1359572F920BCCCB520E8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:01.866{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78BB73A3B63FB01812B0535A7584AF99,SHA256=4F11B153425FF7CFDAA8A1BC4061B8571344536D8371748D510EF40F6B5B766A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:01.866{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C31D7E872B5A08CC4D1A65A8E37F12FF,SHA256=517B55E1F3F4792F89903922AA44B2DAB228F8CB338E3FB33EECF7691D717A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:01.600{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CD022902A1759CF103FDB44F5458245,SHA256=A94174E3441934A7B4136BB66EDC0534DBF96BA6670260B51CA768B086F9B639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:01.896{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A088B19F8F452F863090210F859D42E4,SHA256=ED5DC3ADDF96167EA966AC2CF0E7989D3F2F430605D0CBC9B5D8B19AE9DE452E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:00.611{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-41219-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:01.049{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1397MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:02.944{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78BB73A3B63FB01812B0535A7584AF99,SHA256=4F11B153425FF7CFDAA8A1BC4061B8571344536D8371748D510EF40F6B5B766A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:59.134{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-13956-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:02.600{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D6029B1FC09C384E9A7EC249828143,SHA256=4302309DBE78454B787495FBD35EA33869C19F02F0E2AD7D85476AE3A3A02AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:02.995{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85B7080DFB1F97527034DFEC9B84A903,SHA256=E5C7FBF593E4216A3FD198787F0807C0759BEEE6456AF86355CFB1AE6A2A81C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:01.829{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-50088-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:02.068{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1398MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:00.237{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-20220-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:59.212{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61635-false10.0.1.14-49672- 354300x80000000000000001289807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:13:59.161{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-14164-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:03.835{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5A48B35926777033D634896B3DCCEA,SHA256=2F7EE570F1ED65BD1BCBADA0E826D5B468431F60A2D6F51FD2E7723AF36B5BB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:02.208{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51386-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001383543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:01.893{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261635-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001383542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:02.998{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A87B94A8FDDC836082C5EADC9B8453E,SHA256=C41056DE79331ABFFDAD2C41999C13C5FAFC0AE3FDA9CE821BDEC1CCDBDE1B74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:04.928{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901C23E6EE592F3C3A2A3A849C99F63D,SHA256=07D589B9808FA7411B7D3195E851741DB45D63CEFFFEABB5D599216A6F7F2439,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:04.014{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-6882-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:02.910{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58250-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:04.129{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE9A8A24F6C9D7F427A3E9B0DCCB56A7,SHA256=4519D82CF0045C3CFC59B48A890C87B5189DF10A832A1D5FD7A996C68D934D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:04.029{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6B875393B96958BC34AB83C024ECE1,SHA256=FF0EDE15B3A5AB54182B3A1853F203C6D0B72657A6877860538FDA40FA7937B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:04.022{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09BEC863FB3FA95256BF4A4C1C4520C5,SHA256=EC198BE7AB03031073EF87F31EB8FED6461485FB80FA993DA4C953DA05918EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:05.944{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1278A21AB091140EA5B8AFB307B2BA25,SHA256=32AE8A1E805DE47A321BA0611563D35C8139659327907EB79FFFBF1A795F42CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:05.259{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCC01FC635B769914628D872048346D5,SHA256=4F27A8D424A4790F4B9C37832F0771E118E4F8FFDBC377413F823EE8ACF90FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:05.059{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682E1A5508B2BEB8C63D83D59312B9E4,SHA256=CF67400680E447B789154A78B569084EEE53950242C1BB0698C80B98F6F3C5F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:01.315{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-26132-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:05.147{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32B4DBA8DA0962C2FD393D9A22E6DDF0,SHA256=34F53140B0BD523585F10E67D8CF5F2D2EDD22EF40F31B5ACEAACE5CFF074B9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:06.960{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF835F909B056F922C06EC74A8AE80AB,SHA256=B5A043814425DEA3037A0EFB2DAB3B9094A12CC20F6FB775DCC90AF8D241084D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:06.392{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56FA46574230FCE6888CA0E9FBCF159B,SHA256=9CAEAA2F555A7AEA9C4CF37DBFA6318629062B6E1CC8EBBA7558768D8245F588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:06.112{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E487DDDCEB24DC898DDAECD73AEDC492,SHA256=FBCFC561500298A7F079221A4F7CEC136379634926E5911ADD356759D1779211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:06.350{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A131F8CC49CC75FFF00131B470EEC7B,SHA256=C2B74F71EC21EEE4C06F033DFEA6BD7B7743AAE32799110BED57A382E5905D06,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:02.408{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-31877-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:04.722{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-44550-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:03.581{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-38195-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:07.975{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8BCC152E625D3300ED8EBC2346B75A,SHA256=1A731BC9114D979845AD968C1978FD92D7DD13C73279BC302FF492A44EA386DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:07.428{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BA3D87AE56B4C0CBD2418F147798201,SHA256=304BCF5EC5EC4A5F96410A9C4D6A8E6DB2C102F15957D04585D02B5C40C58B4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:02.577{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61636-false10.0.1.12-8000- 23542300x80000000000000001383556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:07.473{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2BE6D53C2244E1626BAA1815014ECC4,SHA256=FE41BE10812CBE8E192C4C32E5C505952D3F79A0726084EDF561A2EFF2EA6F5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:07.128{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6BFB5BB9D168B3432053CB85B087A8,SHA256=CF7F3ADA6267F39FC0DDE1438C0FB4BA06A208C7BD0E7790243CC670198A1502,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:06.288{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-23857-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:05.158{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-15219-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001289823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:08.569{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE43E7C4DC3C85B1A55D2565B051C230,SHA256=0540F18F9679152EC6049CC775111B9DCC14A78188FFCD70CF1003C5101B4FC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:08.490{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-39976-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:08.166{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51387-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001383559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:07.408{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-32185-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:08.557{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2582CD60B00A7FB30A52E9511841DABE,SHA256=E3DA0E2A79143560B0AE04FB2BF4D2940BBE64DDCA9CF2575E479ABB27BEC994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:08.142{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91122AE7C6F9D692FF1AC6E174C090B4,SHA256=D914FD7ADFFAC282759DDDFA8617C390935C0FAD3915D075AE3B1D6F33EDCA43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:09.694{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDCE0AE1EFC1641A70C1601768BCCB07,SHA256=457946DA203E28F3F4280A2ED23007B3BF61862B9AC2AA39902B5B0650AAB063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:09.210{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8810DF66FB5DF3886792955E2FD4E958,SHA256=EEB42687BB03B7CB8309C9626DC2618D12EAEAEDFB2DFE3FD028811992E4D8F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:09.640{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B9D36B691D2FD1F7D01C84965B4455A,SHA256=B8FD1B57C4E51F363167AEB4AA74316110A0D5F73A321BF3A520BD39636D6F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:09.172{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEB83A45E229E94B00D39E3F96341AD5,SHA256=8916B618CDBAEBDF1373383A46B3545E1C1FFD827109FEF96F665F9AFC7C202B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:05.801{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-50288-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:10.803{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78E3EBEB5B831BE716B118598486A9F7,SHA256=03949A06C702B1996EDB95BA18A425F3421E235CBE3C35355208657B9FDC232A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:10.444{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1254A5664B771702332971827CCB96FD,SHA256=834B38B866011D49FE383531BB7E264EA9D0788FA4EECFB07EC145DAFBA70362,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.655{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-55438-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:09.571{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-47801-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.810{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6EAADAE28373776B5EA5C14B85D6B562,SHA256=C42A72F29E394FEC555ECB1B42C68C8E326FA32F189DD8F37CA4BAC9709BE225,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.794{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DCE2-6152-5928-00000000FD01}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.794{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.794{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.794{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.794{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.794{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DCE2-6152-5928-00000000FD01}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.794{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DCE2-6152-5928-00000000FD01}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.789{5EBD8912-DCE2-6152-5928-00000000FD01}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.772{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F3C984CAF2F151232A630FCEAC2A037,SHA256=9F6E50C073B6476B25DC8CA7823042D0CCD7CDD482AA2F7EE6F382197307D8E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.341{5EBD8912-DCE2-6152-5828-00000000FD01}58005756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001383572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.194{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA0E20DA9F574846013D70CF47C694BD,SHA256=04A35E1DE6DF68D82718DFEAF1CC7645BCA2A404DBEA1944C7B7F80A2ABCB2E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:06.954{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-56320-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001383571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.172{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DCE2-6152-5828-00000000FD01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.172{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.172{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.172{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.172{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DCE2-6152-5828-00000000FD01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.172{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.172{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DCE2-6152-5828-00000000FD01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:10.173{5EBD8912-DCE2-6152-5828-00000000FD01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001289845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:11.507{69CF5F33-DCE3-6152-4FA1-00000000FD01}2504336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001289844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:11.507{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1598C795D7BFB06D9DE6E55FA6D20383,SHA256=3941DCCB4CAA871108F3855742435A1596A9039A6D82D577FC1B390B4BDE79A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:11.788{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4565-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:11.809{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=803C75E4C5741055747EE1692392E111,SHA256=B1B35FE05A70BF61F9FB5EDFF3922B8FD023923FD7B265CCE6283EB72FA55F2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:11.210{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21CF78F4CD4C49D4CDAC72B1CCAE7999,SHA256=B9956A371E915637B29156DB39365586076C9EEF5BB972B88F26E7337BF35001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:11.366{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DCE3-6152-4FA1-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:11.366{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DCE3-6152-4FA1-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:11.366{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DCE3-6152-4FA1-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:11.366{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:11.351{69CF5F33-DCE3-6152-4FA1-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001289830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:08.066{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-3401-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001289876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.647{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DCE4-6152-51A1-00000000FD01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.647{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DCE4-6152-51A1-00000000FD01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.647{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.647{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.647{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.647{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.647{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.647{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.647{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.647{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.647{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.647{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DCE4-6152-51A1-00000000FD01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.633{69CF5F33-DCE4-6152-51A1-00000000FD01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001289863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.522{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFD726EADE5C316DA18CAB097151E23,SHA256=E918FC9A9480CD4C6F28CE8271DD484B4CAD11E590BAEB9C418A48F6F17AD20B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:12.939{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58B2C930D5A2EFC1BE65F94B8B03F9A0,SHA256=AF36771E160F8E04983E35047A6D0BFB674D560028BA7B909F06262737B1725E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:12.724{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DCE4-6152-5A28-00000000FD01}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:12.724{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:12.724{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:12.724{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:12.724{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:12.724{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DCE4-6152-5A28-00000000FD01}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:12.724{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DCE4-6152-5A28-00000000FD01}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:12.724{5EBD8912-DCE4-6152-5A28-00000000FD01}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:12.224{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBB59E3C03EDC3AFF6F7C907636C3BD,SHA256=30D5D8FA9923803E95B7FD21CFDCE23E4D0E03EA1009406882A6E7F5B73EB93A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.225{69CF5F33-DCE4-6152-50A1-00000000FD01}512820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001289861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:09.194{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-9269-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:08.592{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61637-false10.0.1.12-8000- 10341000x80000000000000001289859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.053{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DCE4-6152-50A1-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.053{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.053{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.053{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.053{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.053{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.053{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.053{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.053{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.053{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.053{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DCE4-6152-50A1-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.053{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DCE4-6152-50A1-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.039{69CF5F33-DCE4-6152-50A1-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001289846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.022{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4510A3CD27168191751489F0BEEE4610,SHA256=37EE200DFF8433C74B259D661BD121321D7583E9559AD53BBE6039D344D7EF18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.850{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DCE5-6152-53A1-00000000FD01}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.850{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.850{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.850{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.850{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.850{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.850{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.850{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.850{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.850{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.850{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DCE5-6152-53A1-00000000FD01}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.850{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DCE5-6152-53A1-00000000FD01}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.835{69CF5F33-DCE5-6152-53A1-00000000FD01}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001289893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.631{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44972718BB6C1FEB485F90E83C265C4,SHA256=7D532718F1C679CB52952C850CE42B6DB066AA69FB5472D1E65FD71D63B1F36F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:13.491{5EBD8912-DCE5-6152-5B28-00000000FD01}5376712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:13.323{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DCE5-6152-5B28-00000000FD01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:13.323{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:13.323{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:13.323{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:13.323{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:13.323{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DCE5-6152-5B28-00000000FD01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:13.323{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DCE5-6152-5B28-00000000FD01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:13.324{5EBD8912-DCE5-6152-5B28-00000000FD01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:13.270{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E66D65A0E2D550E6199E28D71DDE06F,SHA256=1A1D1149F79678DCBE22F308519744037CED075FC829107638415728D1E74CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.319{69CF5F33-DCE5-6152-52A1-00000000FD01}22761868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001289891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:10.393{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-15895-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001289890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.163{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DCE5-6152-52A1-00000000FD01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.163{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.163{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.163{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.163{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.163{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.163{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.163{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.163{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.163{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DCE5-6152-52A1-00000000FD01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.163{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.163{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DCE5-6152-52A1-00000000FD01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.148{69CF5F33-DCE5-6152-52A1-00000000FD01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001289877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.053{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20018F1CBF3E2D37DB73C5256C0DAAEE,SHA256=98E725113C0F29309BD2D42F3477DC19ADCC0871B90AD57DF931DC11C145F6A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.881{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9256347B76FDB03719B9B77BFBC14989,SHA256=DDF6CC9FF83ACEE145AC2AA11CA80630357B7B5FB6247F1C6875943D556E1554,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.678{69CF5F33-DCE6-6152-54A1-00000000FD01}15923340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001383611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:14.353{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF97742112E1BBCD9FE652BB43AFD5C,SHA256=C4EE1FFFDEFB4DD55E056BB70C4C09AC49588DDF5A6D7CCB569AE9A6E9E5A514,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001289920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.538{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DCE6-6152-54A1-00000000FD01}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.538{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.538{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.538{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.538{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.538{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.538{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.538{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.538{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.538{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.538{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DCE6-6152-54A1-00000000FD01}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.538{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DCE6-6152-54A1-00000000FD01}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.523{69CF5F33-DCE6-6152-54A1-00000000FD01}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001289907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.225{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB48A73DD466E82009B09C4E69342B0F,SHA256=346CC30FA99CF7931869F3047D5FB0D87F68CF8BD8D00109C9674DFCFE70082F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:14.288{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0962DF16C74BE0ED6C163B6B94611493,SHA256=6F8CA6E37183A0D76040DC79D51A324B83A66AFFDD93A1A2C17F19C6413369C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:12.871{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-12816-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001289925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:15.913{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F1CA7220240FE25203F9AE543A3934,SHA256=FB60E91F4297892FC24D9AFF31A9E5C566AAE3E6C3042FAB4A0D889390F1D759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:15.421{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A21EC9121AEABA7D5B39AB02A509DAC,SHA256=F0AA113BC6A0B815020943F1195560135A0083CF2F45BC16C41F4D5A5793DCA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:15.368{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6006C9039396DACB461DB69389FD68A8,SHA256=9F19F3D3AFD0E9A2E457A1951CAB5B869DF8730E19EF318FE79E6B972FC78D2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:11.487{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-21913-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:15.491{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D61A2D7503F8637A01420D5789B427C,SHA256=4BE70B214D78C129CD1E8AD224366F5398DB7BA187BF981BAEE2943DF228FC02,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:14.011{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-20835-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:13.202{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51388-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001289928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:16.975{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99BA4A79D1684C811661DCB2CAE87B38,SHA256=84859743CDE40961F6E49BA17F5F0E3645E6214C8A5ED0B3D43B87C48ED1F34E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:16.790{5EBD8912-DCE8-6152-5C28-00000000FD01}53447012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:16.637{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DCE8-6152-5C28-00000000FD01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:16.637{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:16.637{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:16.637{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:16.637{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:16.637{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DCE8-6152-5C28-00000000FD01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:16.637{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DCE8-6152-5C28-00000000FD01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:16.638{5EBD8912-DCE8-6152-5C28-00000000FD01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:16.621{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BD116B048AFBB7576D1FF80237147D3,SHA256=B0B34EB01C2972E15F317261353A61A4E1AA4A8C4FB6F7E9B0605997CFA765A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:16.385{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A9227F3B17998D2D70EDBEE2D99E46,SHA256=650453E9F048314BC6EA07E721D9573B52E1B4E4FE7F6AC3531153C3C7DB726E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:16.553{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C940758F3DE7194F63675963823035EC,SHA256=BFD8E1DBC39718B74864FB4A2AEC71AC6A68CCCDB84CDD80938FC2C1A948DA1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:12.784{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-28660-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:17.978{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EDD3FE068A7D3C37CC980875A8DC081,SHA256=C1328382FE307A6EC86ABA96B3EA36C02C967259B6271100F7D915C0712C6222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:17.668{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F244E8F4F6F1716E58701548C72D490D,SHA256=F6C2C5DA88B096BA0AD4384731F5F5D2897E59C96B12D9563E4113A4211243E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:17.490{5EBD8912-DCE9-6152-5D28-00000000FD01}70727112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001383636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:17.406{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BABD4697C3A92E1320626A2EFE7F2F,SHA256=323CCA33F8B73EA9A9CD7DF054E9AE2CCCA5296D77E13CEC490CE635CC3F5AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:17.728{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9420BEC7F415F10379696EBEDD93FB2C,SHA256=159ACFD63182FF5C2E1E835383FE2C1E8739ACB6016CD1DA43B0D1F92AB13850,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:13.863{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-34261-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001383635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:17.321{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DCE9-6152-5D28-00000000FD01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:17.321{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DCE9-6152-5D28-00000000FD01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:17.321{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:17.321{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:17.321{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:17.321{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:17.321{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DCE9-6152-5D28-00000000FD01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:17.322{5EBD8912-DCE9-6152-5D28-00000000FD01}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001383627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:15.315{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-29934-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001289935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:18.978{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B542B2A2978BAC73775B949D280CEB4B,SHA256=7911F9BB60583229BEA29A85C75CF0F7BDCD9DC34A0D29F81A512ED3DF4C4576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:18.885{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A573CCD46E0EC24DE22F2E31FCCAE5CB,SHA256=F16A817954A54C0422C3E806419FB03AEA1F98EECE3F043732E7C05A98CA8AFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:18.421{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB7B7656A91C48E31912DC38519530A,SHA256=51D63696639C545E86ECA7CB860CB5536C95F925769D75585751E91DA42715EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:18.790{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AA7FA321C5633B5D94AB012DAACB6A5,SHA256=30AE80DC1310934012BF6A8A3DCD14946BD841022317DEEACDA867EE7B399BE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.985{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-40140-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:14.545{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61638-false10.0.1.12-8000- 354300x80000000000000001383640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:17.653{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-47221-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:16.466{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-38555-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001289938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:19.978{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78F304E108CF51E8452226D9A7D0124,SHA256=E99438EFBE9A10A8DBB2E48A9783FD1B90450B7AE6394EA8F2464182DD37F587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:19.951{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDAF59CEBD34D2C609AA6F2444A9212A,SHA256=6A366E7FB25162ED1348B395BD38C78DB1441C090B0308FD662F7052CAA06C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:19.467{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042F9F313E2389D1B59B0A891FCE3012,SHA256=1974A596B61A7B925094CD5DF1B070C96E876E7538B44D4535D9E762EC663B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:19.962{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1650B8CCB73F009062AEFFDE7F7006A1,SHA256=8ADB1EF2C189EDFFEF17ED6C969F5D6F83BE797038CA3BF316AF293BFC9673E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:16.100{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-45722-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001383643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:18.765{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-55331-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001289939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:17.191{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-51980-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001383655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:20.489{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7141FDA3EF3746075E37AF858425A1BB,SHA256=EAA5453CCD9A67089EBCE3507223D26C729419D42A1D48DF3697A14F25E3244C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:19.214{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51389-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001383653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:20.020{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DCEC-6152-5E28-00000000FD01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:20.020{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:20.020{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:20.020{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:20.020{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:20.020{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DCEC-6152-5E28-00000000FD01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:20.020{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DCEC-6152-5E28-00000000FD01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:20.021{5EBD8912-DCEC-6152-5E28-00000000FD01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:21.504{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE493809634DD9B7F65200FF4C5193A6,SHA256=ECA5A174CA10EFE6E42E4B3C4006C41EA7DF5BF8105B65EA254DFC8C99ABDB54,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:18.336{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-58088-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:21.056{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C50A1C48DD9616F3C08BEF0DD5AFB7CB,SHA256=CAFE8B8BCADC7089E6FEC42912B63836F92316A1745C79F5B65747A1AB9582B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:21.056{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730862B7CEF5518563105D2D198F3312,SHA256=DA8FBAAE8FBAF8A7660B280601B4A7567BA18F8B2965FAD85CD702211FC793AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:20.990{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-12780-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:19.900{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4608-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:21.035{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8219B019AA91C1CAB5EAB09A47A4A1E,SHA256=5E6FB81E50076BAB7194C0A54D20AC0CA4AC3503BC89C20992E82BD61EFEA365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:22.518{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F852F1986BC93DC93D1CD7F501683EF9,SHA256=3FE1B19C1E6B4788C30522787C8866E5E1171CE30E8D6BA28138FACE561C79BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:19.428{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-5012-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001289957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:22.572{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DCEE-6152-55A1-00000000FD01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:22.572{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:22.572{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:22.572{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:22.572{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:22.572{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:22.572{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:22.572{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:22.572{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:22.572{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:22.556{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DCEE-6152-55A1-00000000FD01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001289946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:22.556{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DCEE-6152-55A1-00000000FD01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001289945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:22.557{69CF5F33-DCEE-6152-55A1-00000000FD01}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001289944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:22.165{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE5CA4EDCCF8E7B1B05117D65C701F1,SHA256=7731F96E64B326272D9790C7B54EF64A672B3FEB32870502231C0BE17C71B826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:22.350{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0578C58187A1B547A0D11897155FCD1D,SHA256=F9FC37B124FC56B4E01603C001CD32693D0CC36C0F858644174B43CFE8B7BEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:22.134{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D559E2B6017F4851296A808553758AE3,SHA256=6B2289D2B0B35CC4C83FBA6E0689285EEBC79E3F99C4ADC3CE4BE9E559A28749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:23.548{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71F7E8921423972A102D9E4DEFD8A4AA,SHA256=EC584AD981B739A29FFFDB0CBEB07DA03D9FF3421903E43132E531B2109B9C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:23.532{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5B027D483C28BD3A5D9EF4D34A2928,SHA256=A5C5F31FB130B2BA88C00136D6A604391075E69A8755B5EA75F4FF8001C4D3B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:20.532{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61639-false10.0.1.12-8000- 354300x80000000000000001289961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:20.508{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-10797-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:23.384{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93266312D5DD19F22F3E9C23EF3E0226,SHA256=0E380899EF8A4BBA7A5188B78389AC62FC9F7C833304E31A5758E18C076DA765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:23.228{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9ACE2F24B97EF36FD6DB3AF7047DD84,SHA256=35DC7F8FC4BBABE9C2BE5B9FD4A2023F4D497464A72924B83390353B689C63F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:24.631{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7F89A6B75A1C6BAFB4E28AA6C3F5469,SHA256=264C5ED06107FDFF069DC6251D3051BBEEEC6DDAF4F994504F4D960EC7A0CF02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:24.547{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F7D5CEFF4CDF7AB38586BF99DF3AE97,SHA256=154D51F2EB02F5E444ECF9036F69094CE5D53798B7F4952B0A4E8080A8B94DC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:24.618{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBF35965A9717DDFC9D11357F57F6B3,SHA256=05F9EEDDDBCAAE44879A6BEF6E374562764F5EDE30287EEB350DDC7DFABA7AE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:23.365{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-29641-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:22.134{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-20655-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001289963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:24.353{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=856354B42C85A6AA9E6204F906BA89AE,SHA256=5AB731EE868E35E833C1F2C447631D16844CD69D29D6B4320F78B12A4B061998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:25.635{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438811DAD69A8F0BC3679B8FAF1DE88F,SHA256=9BB8178A51B071DE1DC5C46C3EF82EC816E46A4ED08CA901EBCAAA69E27F2B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:25.780{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D3D25986B6B75EAD9831D1C5DB9866,SHA256=056052B1998992BB24CF698178FD1DB1458626D4EC3F71CA0D7755006D639BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:25.562{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1462C9BFAC7C8A53C32C72A10E5F1387,SHA256=1512A4473F07E074E411FCED02F1A888C42346880227DA3B3481B64860EF9A69,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:24.563{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-38361-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001289966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:25.431{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B861A72EF3803041C64769A42CA89466,SHA256=8736D383024F6D01C6377E9EC055076B6BE24694E07281FEBEB873A36E9612C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:21.611{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-16830-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:26.650{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462CA794C07E04547EF5ADBDF94E6610,SHA256=298DA1DE3933C64A1A144370928C77EF0B3A9718B745C2B7146A28B72F7092BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:26.899{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0C64720438E80CF2DDCC9D92255A573,SHA256=A02FB33F022DEC5718A265E86D7B0F013F18755EF95950A4A0741566AC12D89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:26.562{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8054DD6BFA5F392D013C7CE81DB96CC2,SHA256=D5D51C10B0CC7172CBE6AEAF1E786723BFC7F6E51AED9D80DB598E8CDD54B45F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:26.556{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18AAA1A36FC30C17113527732C81B748,SHA256=EACCFC763886DEF8DDEBB64107E4B853C2F03F16FC462CB6CE29DACF0A82E70B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:22.725{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-23058-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001383671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:25.209{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51390-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001289973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:27.681{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A319B5E3C5E3D5046C2BFC8788D4F549,SHA256=A708BC369461B34C9F0B7C3F5FCCBA7F00100D43DD03C0D9AF8EDA36FED90A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:27.580{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B77B5F51CD9DCFF49F88578D16E86E,SHA256=56962AE2A7ADD526222BFC776B8E0F515DAFBF29506E22229F0FD0CC933076C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:27.634{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=390A494DB2ABA31D9520D8ABB5F499EB,SHA256=9B5A7BD70C1024448207C28B4312F9FB89A18D1EA515E9D8E1DF3372850689F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:23.803{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-28892-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001383674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:25.650{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-46041-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001289976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:28.712{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FED45BA30430337AA5BE01182563D52F,SHA256=29382D62FB647D3F2384F2C3579C9BAD8CB24D342583565D6B97DCAB1CD050B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:28.681{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9CD189B9DCD45F57949F8D91031004,SHA256=43D9EA7C11C764CFC153BD7C3E152FAB8973A750F57AFFF88BF9E1E3C8B7184F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:28.598{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB2F517F1B34E7B16F690B39780CA17,SHA256=0DDB6DD82066C27B1A0A1A74D6829CA24AF495FA827EE9C6993D35A376EA09D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:24.927{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-34905-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001383678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:28.099{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4155-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:26.792{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-54296-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:28.245{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=936B7319B9FB4D3C35271320F1AEF565,SHA256=5D24CF6FA006CE072A5DBDCD72F297084D8556A7091963B9D67B2FBB818EF0D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:29.915{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7431DAF63590218CE859923F7AFBBB4E,SHA256=267289F923E14D06870EB7FE33A2828DC0D9147AC7D5C7FD571C732E0FEEB012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:29.613{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69944A62BB31594540B1B68B2D438452,SHA256=BEB0E0BAA152659F2018256612939D4F8D19E56C621278434C0BC0D4928326BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:29.790{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A3ECFB7C465FFED8334A593FE240817,SHA256=4813CB4280050F8AF99F0AA45907ED0D1B665937B30D871FC556EE084FAB3FF1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001383684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:29.544{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\AlternateServices.txt2021-09-27 08:10:19.712 23542300x80000000000000001383683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:29.544{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\AlternateServices.txtMD5=69EC9FB39576FF61D6AD33A791516277,SHA256=6B7962558FDF606BDBA40520734DF336EFD18F94D54C271AECFF8C28940F88A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001383682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:29.460{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txt2021-09-27 08:10:19.295 23542300x80000000000000001383681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:29.460{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txtMD5=20C3A86BFF7D52922CCA391F5CFE4E8E,SHA256=C78CF3ACC2967110D7225154FCB445CF0A33588E553FE2AD73AE1F57A106CA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:29.379{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B14003A4610B4BF2256F161D7E3EC27E,SHA256=8BB11812C046C3DB95E9C2979E2A04A308A352974FF6D9F41AEF849EA2CDCADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:30.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7C4C2C174FB51C6BC35FB2E2F21092,SHA256=FB373FBEF23D9C5A6EB6CD8D9D14F09056E9306C4737141430D0B61601084455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:30.628{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC95ECFFD4874FFC3DB63EF6DF93815A,SHA256=B5375FDF6F61C5060523F95539402E53FB5A7F0928F3DAE3052039FBDF04CB1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:30.931{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9DE5D580737D3892ECF737CD6237AC4,SHA256=264CCA65D4695B4D55ADA9C76EADC2236116795BDCE20ECE0ED86656120EFFF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:26.517{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61640-false10.0.1.12-8000- 354300x80000000000000001289979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:26.005{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-40720-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001383687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:30.496{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=569C5E6528583E8383056BFC97EB4D51,SHA256=F145925393CBEFE6F85DD77EF5CA615667A9ACEBD47F31E8FBC73060427B8A43,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:29.274{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-12389-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:31.642{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D76DD19F0BFDA16A6E3C56DAABA866F,SHA256=FEADD47CD52624D66D44013D4F407C81ECAD5569243E319BCC5E7B879DFD7C7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:28.189{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-52425-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001289983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:27.084{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-46702-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001383689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:31.626{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94C98A1AC0C0E8C183D33588A3C3EE31,SHA256=65CB1A9D0A52CD7F8EB08968447C0C1D967F798052C95D369958D52CA39EEA0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:32.775{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C92C752C65221EC5348DD1477B9AE084,SHA256=B8A95B3335A97E0781E28FB71173B9C452BADE76A2421CA8AE55D22FDFFBB3E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:32.678{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50FD92E1229BD9E60386D82C688EF53,SHA256=8D0EFB9BA752DC0B1C01816B012D5EAA54BE0065F41B7B5020D30C8483E7A2DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:29.317{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-58730-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:32.228{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B06162E5463EEEAC0ACA15B67AAE640D,SHA256=63BF2EE1A293B7F130C6ACC470AAB9554390F20FA800A804D395A6C9EBD93FD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:31.524{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-28918-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:31.206{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51391-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001383691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:30.395{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-21116-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001289985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:32.103{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAB46E8D3F778595C85175EF226CFA5F,SHA256=6E994F27C976E31218739D01B7A68307D87788653ED9A257F13B7C4D582DB5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:33.895{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D01D02863C3AAC27FD1A541D200A6F88,SHA256=21EDA7F373459C049DAFAC3295F3D0B2F7E39C28520FC0F8B0DF16D7B1C7870D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:33.775{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180F94E0706E3CA9E8625A59AB4A130C,SHA256=05120DDA5398B4413D88AF0CA0CF48284A8E8C24DC950F004515E150A266BC72,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:30.474{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-6153-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:33.275{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C9BDAD54FA624E62A1CA8203F6D3C4,SHA256=12200E2864E33C692E312BA2B5C7192000BF7B6AC00C66A0194C08B9C1C369A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:32.448{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse59.14.196.14-51632-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001289988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:33.228{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EDFDEE1682DB77F5D909A1E8726328F,SHA256=9835CFE4D234FC23BDCA0A34D4EBEF1765EA40691C15B20E7D7EDED0C82C96D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:34.977{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DADC7CA00A1636660AA093E0A687171E,SHA256=D66D16498C73DFDB331463DC54800F90D6D970ABA9ACCBA985DEC8451D48A299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:34.842{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06741B42434728478964076467A0ACC5,SHA256=F454D8C82BB20A9613225640EF273E826B65E1734C2DC4245BBAABEAE4F8A768,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:31.609{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-11960-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:34.478{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59D285123CD9BED09E73E5D0F1689DA,SHA256=33DB183AF070F1B08EE1D52E283E49060FEB9D791C9AE51451F35261B4394098,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:33.804{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-45399-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001383699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:32.657{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-37390-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001289991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:34.306{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=051AAF2BF464AC85FC0F10E1B64ADA92,SHA256=877D7B5305CF9E9A7E68F0AF6FA431DC0A77ECC909A08283FECC5C2599C72501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:35.857{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5AE6302CD242DA55B0A33B00301A83,SHA256=6DFDA8F853D2BEC1AD1D2EC2495B4EF9D7CE53388354F12BDBBE576A3FE381BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:32.532{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61641-false10.0.1.12-8000- 23542300x80000000000000001289995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:35.603{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B871D7C5FC0AB0CFDE79CE3F8D36D4,SHA256=CBCD481C54786A83C5399A298DBA5E171464D00CB45C52824F333B5B26278A3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:34.927{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-53781-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001289994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:35.400{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D48490CF2683DB4CD465FA4E2F01413,SHA256=D0C68966284CA2DA9F85D777996C59D90D8B0AFEDCDE049A6C17945DE6931C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:36.873{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFCD5EA011023834C819F55046103AD1,SHA256=DF287110D8160BA0C47AAA5AB61C3B17B7F69093BC798A43DF4AAAFC8F3CFD61,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001289999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:32.693{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-17843-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001289998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:36.681{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5E846C3D06A199619EA2B4B4586D80,SHA256=5533978888C0454621DF4FCD9476BF9996E2B41EA7687A093CFBED65C863AE09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:36.409{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD79190ADE5D8227256D30203F3FEC2C,SHA256=669FE587C61E640179B9817DEC591EFB88744C21906DD764EC8CDA4F52F52F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001289997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:36.478{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB34C080F4793B91314FF97666D4BC61,SHA256=4CEAEB1142B11EDDE922D42179B594F9B3C207CB9A9C67C778DBFFF242F5F241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:37.892{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4F7FA41BB4E936B251A956CC59B8D7,SHA256=78F49D731D1585595232DD0B0333E21DEDAB41B7E37AE345DECA71406F0C007C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:33.772{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-23660-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:37.761{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4AFFBC0555066DE9DDDFB044B6B17D8,SHA256=0B0D85182842C9125F821AEAA42080AC7E611FB1369EC86483D87DD2BD32752F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:37.203{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51392-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001383707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:36.306{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4026-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001290000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:37.556{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBA7DA95906A6C32E8695833335DB30D,SHA256=8D165053846BEFCC4226DCD27EA59971013A0ADDC43BC3BE620A60B2F4A11CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:38.971{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10944F789C59F57674B794A658598150,SHA256=D0E825D2C37BAAEA82AAAAC2D55D9D2988C1CFF6456CCE8CAB232F0B8C91A9AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:34.848{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-29211-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:38.761{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD3D6A7BB6CC8017C836B0CA4EB1902,SHA256=AFE744AD25BF1E50C2FFC00ABBF88B0D2D03EC1E177B2DED7728BCB96FAF64CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:38.636{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6795106B36AFE953E374CD8FEB3EE74E,SHA256=8D74A27E8B83231B6255185F6D6D4068F1D413F333A18730A747B5367BDE74F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:37.008{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-40723-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:35.927{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-35151-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:39.762{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDC47F7E717D713004CC7D08CF7A27E,SHA256=C925CC236E52C10C039044D35C067913A8F0C53C53656807BB14CB486CAF56DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:39.715{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=396A40832B06FA5EB486728FCCF3E4E1,SHA256=CE262E0958BAFCB159074E330DCBD87B17977A08D0CDCDDA2AE7B5C96AA1AE35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:40.871{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C0E7D6C572859999CCAC76801D88D0,SHA256=D5126633BAA7C04DCF067B304A59392BD4687BDFC0983CF4565825D1795957F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:40.052{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD758FB9D488BBB8099C4A78E52842C7,SHA256=346089411234874B052E440D555C15ABFD54AF10FC57630CA3D8FA4EE1301832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:40.777{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F5317105AF7A406565BBCFEEE7874FE,SHA256=85185ADCC36B83C380320E3F6E33A524A2B02A2202260C7D868F05D4F98F9589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:41.688{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:41.688{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=C51EF889BC7A0CD614419FFCA6E5C61C,SHA256=6B4581FDDC5DEA6266F349422A15DBC7BD2B55DC9EAA5C43D0AAF2E49BA1E1CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:41.120{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250A220A859B71A07B3C0A82C467587A,SHA256=E3386D703451AAF2B56F5428F3370560C087AD740A3AAD35C77F465E26889967,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:38.086{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-46348-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:37.176{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:e060:eede:318:987awin-host-542.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x80000000000000001290012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:41.871{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CB39D64C9FBB556022DAFE77E3033ED,SHA256=BE4BACAE7829968A288FF37E45154FCD402A306A2856CE675D9E6A771C2C3EF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:42.996{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC5B6EF3ABA01C19AB582689FC2E400F,SHA256=5A238610D4A234E3CBCFF919C7CA637F66361D783010F52EE32857B99FAE0113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:42.105{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B8BE6419D0202F1D2D66F9BC3F95E4,SHA256=ACB79981E7BC9CB93088D51344E719C42CE90959E8702DEC40E338FCB9077646,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:42.245{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51393-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001383716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:42.073{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.24.1.102-64591-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:42.134{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7640F9C6239BF62B1E422ED3E35550,SHA256=62BB6E6DB0DA3EBF4A826314A2C496DBF1D3BACE51BF552A94630D40E1E08479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:43.324{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20EABBA9BD30C6631C6568889850576D,SHA256=7EA8B9166784803067266E6C5200EAE11DCD8E0DCC62B630AB632FD9FD7E1B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:43.186{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F498C4A8F0F07B4786C4E71E1A5AF5E,SHA256=1A24C4A7F52335E77C4A75787C647C24D079F2BAE608862377A95E8C223BCCF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:39.164{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-51941-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:38.519{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61642-false10.0.1.12-8000- 23542300x80000000000000001383719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:43.049{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2CF06D633661958FBCCB8D96FD0B899,SHA256=69A51127126C0A9825BFCB255EEAC9BDD9ABBED921D67119AC578E6C55C827DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:43.049{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=191735D09C21D3419544A6FF6C4026DA,SHA256=36A06843DBC43D50B47EB89F7A4977ADC348CB75AA9AB0801C8FDA2AF60B67A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:44.324{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49712AA9169D4665588086137EE73428,SHA256=C7D8361D676EA0CE123D0E88D0701C6239C63A25A822339065001575E6EB179C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:43.028{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51394-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001383722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:43.028{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51394-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001383721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:44.216{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5333AB3802CB6A7E6C0A6B0ABF4BB0,SHA256=F6EE3387BB9686FDBA181280B09265A4A96E1C552B794F249D9DA7ACE5951254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:44.293{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5AA70A05E998F70F5602CB9D7D42D31E,SHA256=EF9284907EBCF14564ACC22FBD2F152E662AA801A56652B7E8EDAC9549405609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:44.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40319EF7D0BB904FA0089F5563017D46,SHA256=BC2C5E91930F1EC75149A15EE41D7E0BB1DFA4ABE786145DC42E87FA0C075901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:45.465{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEC47C89F35548BCF0AA1768738C903,SHA256=E9531FCFC526CE9894A2DEC5595007FA7D1C69A55383F521CE2DAA74B6F4ABCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:45.246{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDAF03720254E5570A90C753BFC1E06,SHA256=594514DB29751A02558A92B1D6939553AF3B535DEF5EA802FAD7A38603A2C850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:45.215{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D52CBC8BC9C44F049744E4BDB8D1C15E,SHA256=EAF8E32BCBADF75940D8246774082D8A3F3546682737D518251066A1C03EFD18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:41.367{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-4866-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:40.256{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-57914-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:46.480{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12EA3961DD974CA022E8D91A0CF09235,SHA256=BE06E536E2C6E9DEED40EC7626BFB82AA5536DB07C2DC390D79CC9EACDAE1B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.982{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2CF06D633661958FBCCB8D96FD0B899,SHA256=69A51127126C0A9825BFCB255EEAC9BDD9ABBED921D67119AC578E6C55C827DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.283{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FF7A2B3775255F1BEAD5357BE8BF88,SHA256=9B2F2500890316DA408ED11F3DD44CE12CAA368C2382A425C4A7C91A050202E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:46.293{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E56CB429209CB68FF5DAD78F8E6D270,SHA256=576CEE8B73059BD7F85D45210C4901AE10CB1DC9E38DAC213ADC4FA13D5A64D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:43.019{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-43662-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:42.497{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-10909-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001383742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.167{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.167{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.167{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.167{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.166{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-DD06-6152-6028-00000000FD01}6284C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.148{5EBD8912-8D26-6151-8500-00000000FD01}27602120C:\Windows\system32\csrss.exe{5EBD8912-DD06-6152-6028-00000000FD01}6284C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.148{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.148{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.148{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.148{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.148{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DD06-6152-6028-00000000FD01}6284C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.148{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-DD06-6152-6028-00000000FD01}6284C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.140{5EBD8912-DD06-6152-6028-00000000FD01}6284C:\Windows\System32\InstallAgent.exe10.0.14393.4169 (rs1_release.210107-1130)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=88C7DCDD735B31E4F5620E4B9F38C87F,SHA256=5EF1322B96F176C4EA4B8304CAF8B45E2E42C3188AA82ED1FD6196AFC04B7297,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{5EBD8912-8CBF-6151-0C00-00000000FD01}844C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001383729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.098{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.098{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.098{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.098{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:46.098{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001290037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:47.558{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A024245A075495C63E2B38121DDDE56,SHA256=26C7F57AC36BAF70BF261A006C6E70C3AFC5E2E946BE82C6866EFBE2595E2CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:47.613{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:47.298{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD37970BEEB79629B037FFC6CDD2BC3,SHA256=52C0344E7B14DE85B955EFF9C2F5EBD3AA6115FB488E8CDCCE2BB4EE89372CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:47.418{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A399FF6C14312065D52606CF90005E3C,SHA256=AE47B4B6856410A4B87DB0412AC6406717DB8983F37D525BE65F55E8FFD7CF6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:44.178{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-49465-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:43.597{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61643-false10.0.1.12-8000- 354300x80000000000000001290033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:43.586{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-16772-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:43.058{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-43855-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:47.089{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:48.683{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A642F942244AD014B98C312F05CE2E8,SHA256=157EB58CC9D49F8BC037E47ACEB5209C0ED0A36690C475CFD0D88592BDD55030,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:48.223{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51395-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:48.312{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC818A35B048E5E0A337564A72197A1,SHA256=8295203627A8B21F917BF3E1A86A4C16192A49A92D1CC0D9557F4DC7CC4B2709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:48.558{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87978714A25194B78179F054AB901973,SHA256=5F75DAFD0EA5D288446FB182859B156611949528DC72CD1DFD03349E81A1692F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:44.678{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-22528-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:49.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD47283318E9341E70E5962C9E66FD6,SHA256=6A7517C6B30A5CB5D27F3E6D52778FF88DF29EAFF44C8A76B262C4E90DFD558B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:48.591{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51396-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001383749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:49.313{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F59C49171A1192CB5A1F50E8D3AE68D,SHA256=6C36F6A689633FE1E23C564725B4FE367785BDD252EBF7218E671063CABE69E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:49.668{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C03685A0435F273878161841ABB9237E,SHA256=93DCDE4B37422C59FF9226373E1642A10443F7770EA7A28DBB2F7E0C0D027F13,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:45.820{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-28501-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:45.425{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61644-false10.0.1.12-8089- 354300x80000000000000001290041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:45.257{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-55268-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:50.902{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D4E80E9772238DD28882039F945A8A,SHA256=A1266F916EA72E519F71C00AF40FF283E647F6CD383CBA665C4EDB2407205047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:50.326{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD64166C67DBD1D6F95132EEAFA1BF1,SHA256=383AB3FE059418197BDC7684561335F4DA4D68A20BC33639AC9E763AB9445905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:50.793{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30BCE879FC0DC00C44EEA8B487A34AB9,SHA256=3C2D1654AA0BE7058EEF51715AA9668AB4A1C8417143E58F581E925FD05760FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:46.955{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-34690-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:46.350{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-1998-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:51.918{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E117EBE5B02D75F8CF0F704069EC55,SHA256=5342F5254CAF4A315266A4C10FBC63BF86198562047EDC921A81B15E3A83F159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:51.341{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857FA14F6FD7B579F5CF6C2453BA6421,SHA256=007FB4A7B291379DFC678E388CD7A7A05197A920CCCC8B159148C83686B87DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:51.871{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DDC09B69C9794FD19A9ACC775B1655C,SHA256=20758518E0E6B0055F5FD022B61CEC3A30D082051024E8B080F73E07FC2FB21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:52.918{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4C4F57D00766F668392A9A610A1BBF,SHA256=B64B0139106EE98052758C3D952D77AA4E804E05C8357AEBF8D400C66D888689,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:50.924{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-65213-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:52.358{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBBAA6FE59147DA7FC64B2BE1B29877,SHA256=916C1790B900F7B95662EAAE528E48B15572840F49D84F338D4631AC13DE8617,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:49.165{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-46706-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:48.589{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-13098-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:48.053{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-40730-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:47.461{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-7565-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:53.933{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DCDB82B70E433EC92D13A1887852D64,SHA256=32186DC72EADE3923EDCA67B780BDAD8693C8D20EAF939B3AF5BAC88A39F57E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:53.377{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260BED0D6D87F14C7DCE210BE802FABD,SHA256=5AB861F5DBF832B7ECF1906533DD800E520C9D45D9F786D08B7D15452B5525FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:49.709{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-19097-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:49.488{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61645-false10.0.1.12-8000- 23542300x80000000000000001290057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:53.043{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31A006B9BD8048A90952A0CAC39EF33D,SHA256=825DF9667FC1DB4052956E8B8F4C5D738E30A36B95160E87BD7E772E2844271C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:53.040{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FD33BE1502DAA7CFA8A1CAA9ED8B79E,SHA256=76C4444CDAC3E8C6C0BBD7D82BEBB7DDA4C316B3310BCF4E2FA4190DF31A8656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:53.040{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9FB6AC1E7CA04698C507D7E6342E895,SHA256=D36346E3A1CCBB434F4596B5FAE3A2503DB1E837381F86853C9EF27435AD98DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:54.949{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1789874AB1FFB2A2B4EDD3DE25DB2AA0,SHA256=2C19330D10628A61968AAD270B71A4D0253EF5C7E2E3B3E460BAAA3F1118E834,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:54.186{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51397-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:54.378{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1ED1EB64A7E8C6B37C9DDFC8AD770D,SHA256=8DBB2FF59284E5AE140EA991FD37F26AF3CF3D4769DBCC0E95BC8AF84BC3495D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:51.464{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-58296-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:50.820{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-24835-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:50.304{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-52319-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:54.199{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEEF108723EA5D11D1C462F1873774E5,SHA256=6C0A2CAEBAF96F65202B12A0D11F91E61B90DAB3C52C7EE7D0F21C88B01FE964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:55.964{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93907A96B23FA367C4B5CA5A5995805,SHA256=6298DB87E415A2BD4009D849CBBB89EE52904E81EC100CE52F303E0398735E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:55.392{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AF4BD100137EE82C4F6EAE2153F1D0,SHA256=8D2DD01A4CFBDF21A9E4F0A248F864CCD4761A41A25732D4DC1C3CD7CB8920AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:52.582{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-5652-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:51.899{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-30417-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:55.324{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=331DF675A228D9DD7EDBE78A222A383D,SHA256=96339D3612A4EB630F9CD56F5CC71485FF8B0A668F6C9F86B434C60F51B10308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:56.965{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE13287DDFF3CEC9E320B7C16D3A438,SHA256=3E1A2F1CF67F9D92F5AC1D72694AC49D73D14F24BE9FB55C9D802B08B4AD1B30,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:56.164{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.77-55883-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:56.507{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FD33BE1502DAA7CFA8A1CAA9ED8B79E,SHA256=76C4444CDAC3E8C6C0BBD7D82BEBB7DDA4C316B3310BCF4E2FA4190DF31A8656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:56.407{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39F58D219300D69C3AB1473BEFA7517,SHA256=9EF87CEAB24FB7603284C9D8B1D7DD02B4AA3C49124EE121A2F7BF224E482900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:56.511{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6014A876A0F29E65083739A0C351C5C,SHA256=6B02959AF68755C2E1E2BEDE802C8AB216502B1207EBE96E42699A070DDC44F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:53.007{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-36062-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:57.969{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F298724267EE6BED39963A107B86EF,SHA256=5C705CDC22E26EC5471381BD944EFA73F99A8F66DBFB8DC1EF8F269766971C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:57.422{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FB6EF5D30E470293EB2660B3CE07B8,SHA256=48A3C31F5D660029A6442052AFCD78D07DA49C9007109BDF053C6DECB5563E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:57.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A13C0553738AF0800D67ECC4F213B39C,SHA256=0F25BD6C8719DDA49A167D86BD2646B48D22925147604B8F195D26B363A6D5AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:54.117{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-42001-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:53.696{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-11456-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:58.984{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DDBDDB44564852FBF31C72E0611750C,SHA256=9F9D9DD4C3488209BAD417D9E45BB869CB92E7EC6E94ADA56BCED186945066B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:58.042{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse95.111.254.2vmi553870.contaboserver.net19138-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:58.437{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F02C8DE63F7C35B8F2FAFD7AD53FD3,SHA256=6F0F12AFDDE383A0097226C3949D95C92CEF1B7757FFD8C65C8D2021DC5AA935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:58.687{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=197856874AEB29753C66462EE3F8AAF3,SHA256=019A65FAE7B7BCC7AB07C53FCF802EC87B5485958252C863D2854194174E1FAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:55.207{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-47763-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:54.882{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-17885-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:54.566{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61646-false10.0.1.12-8000- 23542300x80000000000000001290086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:59.985{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AD24D63F8002CA313728303CF43F9D,SHA256=1D5903C74E8F0C1B7A2BF338CEDAD4FAB0FD611D78396FC3DE54F58F114A23D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:59.473{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7F4EEB818C31A83F18FD5972295AA1,SHA256=CDA35264C4A49474A4C830EAF188FED27672EFEEED1A74B776D27F3477300B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:59.767{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A24C64C4BF15976D8CB904957899701,SHA256=17E78AB6A827B1B833C70A5073AE5895381CB2ABD5922020C95439C0CB7918AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:59.567{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5715MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:56.347{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-53521-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:55.967{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-23624-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001383769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:14:59.768{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53608- 23542300x80000000000000001383768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:00.490{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B153516014AC9F60CD7423616E665B,SHA256=05AF945843C081A2860E20BA512406FB2D3D489AF0A8954AEA0D66D0E8B36841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:00.875{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=620AFEE8206535FE7EBF823259D524CB,SHA256=D8C1183F713848965E24D9D6084A0EA36129F214996ABA9C3172A8B4FD8A8463,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:57.450{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-59321-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:57.059{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-29406-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:00.580{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5716MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:00.199{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51398-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:01.504{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FFF3C58DD41563E9EC16246087D0C0,SHA256=0A1DE95715CBF8607384AF97F9DCFB53B3A0215EC822F23590B806A759D990EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:01.971{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3736FE2E133B50942CB765B402596B2F,SHA256=82551F0745218A661743339D78DE5968ECAC179A7FAB1B6FF4FC581FBC51BA97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:58.572{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-6300-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:58.150{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-35162-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:01.000{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750A6F87BABA4CB4C3D8752922F7912D,SHA256=6C93E84BEC8AD35BB970AB7042D8CE1960955624934260352C646461B8FBEEEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:02.590{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1398MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:02.519{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED8F25C7A9B15D8C4303EB45F3FFBC9B,SHA256=AC993561FB612C2D782BBFDD527073B924BDEB1D8C66FC336B159AD7BC10C764,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:59.247{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-40762-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:02.018{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1585434646FED5C0E3D1B68E152361,SHA256=8311A481EA852EA63DB90D89507FD5759CF9B01DD1BDFD32E891C36C4D18A84F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001383785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:15:03.592{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001383784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:15:03.592{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05226598) 13241300x80000000000000001383783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:15:03.592{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b440-0xf00dbad0) 13241300x80000000000000001383782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:15:03.592{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b449-0x51d222d0) 13241300x80000000000000001383781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:15:03.592{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b451-0xb3968ad0) 13241300x80000000000000001383780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:15:03.592{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001383779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:15:03.592{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05226598) 13241300x80000000000000001383778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:15:03.592{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b440-0xf00dbad0) 13241300x80000000000000001383777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:15:03.592{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b449-0x51d222d0) 13241300x80000000000000001383776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:15:03.592{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b451-0xb3968ad0) 23542300x80000000000000001383775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:03.592{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2AAE565D9B3E4E9574269EC7A11A5EA,SHA256=3221C18759740B0659BD413C63EE036AB851F2F2A59BD55CCFD430C772B25588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:03.589{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1399MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:14:59.682{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-11957-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:03.112{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F902E749C95B47B48748A3D2BFEA23BE,SHA256=70FBC241B478B7B562DCF7F6F68E22E12143B7C86F88DD526170A2F4D41EC07D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:03.049{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=760047C3C2DCCCB2D6C460782DA73FAE,SHA256=CEEEE8892E55E57487DBACF76B9D42864A895C27A70FBAC6546BCA7246E5D990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:04.603{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6917ED6F52E0A01DF9724995177A589,SHA256=65DA770DF85B9EA1DBBCD73325E6476732477702DB619797284046FE090D128B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:00.780{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-17542-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:00.479{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61647-false10.0.1.12-8000- 354300x80000000000000001290102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:00.343{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-46828-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:04.205{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC531488609C6ED0E309AED900051C14,SHA256=660443AA0D970A0C86315D336A59296F1B2E23DE133212ABB4D9499F85EE9CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:04.112{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E01CBECBD0701F77D011427B5CF7DE,SHA256=5FD3F0EC7E9822F9DEF5C7C416CED321521C82333731CC41F9BFEA878B728A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:05.618{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06288668EE55248D1D459B60CBAE9571,SHA256=9FA854D526CFAA04D555526D8342EFF270BFF7E85D691DA40FE635092AF5167B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:02.577{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-58656-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:01.873{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-23363-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:01.446{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-52535-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:05.284{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DDB5293657D13F1ACECF215C9C20619,SHA256=F5A48F154E3CDA71CE5F1A4C8C46960191EBAE7BAB44B6C5601142C66EBFF603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:05.112{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F595FC244FF85E170D692B62436B18A,SHA256=F9FC169CFC82E1C5BCF9A41BD123523F8C386F109EA282C3CC5DE982D3108D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:06.633{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E64E2BAF2894D4E75AED4B50AB40EB8,SHA256=23EA9596CCAF516F598EE41295BAAAC26D7C11B8891BC4F4B0A7D7F867A5EC8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:03.656{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-5552-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:02.999{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-29072-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:06.362{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8D3BFF9084C2D5577BA658C75E32B48,SHA256=3B70D978343E33D803A6E76338198E1649B0441D3589488C97C6C249D825DED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:06.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D26C1A01ED5E36689DC0143D0F7131D,SHA256=9E114E80E4E66134BD9BFFBC339863EC76CFA791DE08CD2610C859614D538844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:07.634{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D6B09D88549E756861D0872F80A446,SHA256=EC25230E0B32F0AB864FFEA58246430A65A0B87EE179ECCCD13430260ED7F69B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:04.106{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-34678-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:07.440{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=684DECC86F040CA6EE0E26D590FC6649,SHA256=10FC66C54FB3B31D882CCF2E0C3595A482AD96CC316C466D9EA1BC0511C69180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:07.143{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43ADFC4553856EBFCE6569C1B6F9A15C,SHA256=CE11011C3A98D1499B083613EB6A3D84AFFB8975B6DF277DF64CF7659635E38B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:08.651{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05EDFE36E68FB48BC49565A3CDEBC414,SHA256=6D0CEE000E4BF964C9A68A8491EE7589B8D3C8F8D6FE1E42BC3BEA293B61A389,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:05.250{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-40984-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:04.733{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-11323-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:08.565{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52E8396389E1B0623BFAC66C255D3756,SHA256=62A9FDAF921E375D4469A52AA7D21E3A34F918AE31C5D26D34CB26A1CD539129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:08.158{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B06AB36D4484040C35655001E9CB7C,SHA256=62D675E8F513DE294DACE17B791DFEFD6052F108BC4CF6B76B70A1AA128705B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:06.128{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51399-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:09.716{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45331CE21E2CC1DCEBEA7A4B0CEF42A0,SHA256=989C6335C9AD58EB6F260F03F45371E19A20C36B4BDA0791709D9B05DF6E3EF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:06.432{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61648-false10.0.1.12-8000- 354300x80000000000000001290126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:06.342{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-46814-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:06.333{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-46733-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:06.300{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-45919-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:05.826{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-17147-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:09.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9631D86D6730FA07E61502F3D4BA78E8,SHA256=ADAEAA336B6F531961C562CC5D3BB1DD12E053B93373710C3B1873B5D1FA03A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:09.190{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F247590BC143D5C3E63A3400C1014FC,SHA256=9FCB48DB14BD83B557C1BF0AC1384B02CC75D75DF9662BB990CE770CD65DF092,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.853{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD1E-6152-6228-00000000FD01}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.853{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.853{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.853{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.853{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.853{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DD1E-6152-6228-00000000FD01}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.853{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD1E-6152-6228-00000000FD01}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.847{5EBD8912-DD1E-6152-6228-00000000FD01}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.815{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E6AE47AC8106E56BE8087F137872AC11,SHA256=36BC041AEFFA3D00FADA55819B5CB79DC3A89ECD84B70298597C9B3887820DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.731{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C35CC567C03BE3C12ACD6726ED0CEB,SHA256=4ACE39D3D85542500C46C15073F5D5A0884C8BF3F522B058B37D02E3CD1BC357,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:07.422{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-54202-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:06.950{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-23229-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:10.362{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F4EDFE9ED8FA60C0152D244D2F99CB,SHA256=4D3C11C38BF094516B52CB2AFD1E336303FA73F2FCF4B159EF8738304E4EA67C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:10.362{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:10.362{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:10.362{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.169{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD1E-6152-6128-00000000FD01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.169{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.169{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.169{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.169{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.169{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DD1E-6152-6128-00000000FD01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.169{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD1E-6152-6128-00000000FD01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:10.170{5EBD8912-DD1E-6152-6128-00000000FD01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:11.752{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCDFA5D0329F271A0A96FEC8BA708677,SHA256=3EF3948CDE72037E661240E5CF53C068174BD007AF309F071C6E2D8E2C1C721A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:11.643{69CF5F33-DD1F-6152-56A1-00000000FD01}3684184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:11.377{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD1F-6152-56A1-00000000FD01}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:11.377{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:11.377{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DD1F-6152-56A1-00000000FD01}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:11.377{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD1F-6152-56A1-00000000FD01}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:11.363{69CF5F33-DD1F-6152-56A1-00000000FD01}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001290135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:11.362{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5793BDCDE6B172DAD2FE5A13EE72E7,SHA256=41387D12C183371DBCBD7B706A7677EA17DED284FB79C5EA58041BBE82461F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:11.188{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80A19BA47603689715B9A9028FFC7894,SHA256=524D52030095FE3BD215122001FAFF75D68D5391765D41082BCE07BCF68567C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:11.188{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6C0F96E9A98FEDD276FAE8469F5B1AD,SHA256=9B6839D65D3FC0107666CBEF464D86C09F9DB63A081CA9C3A6954EB0FED94121,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:11.058{5EBD8912-DD1E-6152-6228-00000000FD01}25805560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001290134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:11.346{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2081D72638C7DE8EFD6291F1392EA20,SHA256=9AA7462571BC8C4C93F450AACE2CF9E712BEF27C31642F421921E228CF3EC9B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:12.920{5EBD8912-DD20-6152-6328-00000000FD01}67647004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001383824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:12.772{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CED486072E676C8EC71C8072E2CC56,SHA256=F6795ED7ABC02CCBA23D70B2B0DB2506D3789FE098BC62D62FB52C48BE90CF34,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:09.761{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-5093-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:09.748{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11008-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001290181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.737{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD20-6152-58A1-00000000FD01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.737{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.737{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.737{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.737{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.737{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.737{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DD20-6152-58A1-00000000FD01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.737{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.737{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.737{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.737{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.737{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD20-6152-58A1-00000000FD01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.724{69CF5F33-DD20-6152-58A1-00000000FD01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001290168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.721{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5237FCBD26920D39A6C9E91A343228,SHA256=3EFBC4123A5C0B14FC850C388C0F476E4F834E9CC36F2D49576A105C0A2052BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:12.735{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD20-6152-6328-00000000FD01}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:12.720{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:12.720{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:12.720{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:12.720{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:12.720{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DD20-6152-6328-00000000FD01}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:12.720{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD20-6152-6328-00000000FD01}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:12.720{5EBD8912-DD20-6152-6328-00000000FD01}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001383815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:11.141{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51400-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001290167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.377{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D001B1F75262B0C41676A95E651E2CF5,SHA256=547C2B993ACA4C0A3BAF19E959BE2CFF4B32ACA756EA5911FFB251A0938F83B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.283{69CF5F33-DD20-6152-57A1-00000000FD01}12241888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.065{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD20-6152-57A1-00000000FD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.065{69CF5F33-7F28-614D-0C00-00000000FD01}7201928C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.065{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DD20-6152-57A1-00000000FD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.065{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD20-6152-57A1-00000000FD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.050{69CF5F33-DD20-6152-57A1-00000000FD01}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001290152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:08.639{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-58188-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:08.630{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-3141-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:07.515{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-52789-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001383835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:13.788{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9E66474EF19A6FE70AFCB365666906,SHA256=5AA92C4E67DE84CC9A964FC74461C232C5DB44F9480718F2537AE689993759E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.893{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4AB4D3D28D5C584C415B052A540B79,SHA256=CCF04EBC9EEFB562D1F184CBD4F27305903E4D646CDACC959132989F6A3595F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:13.769{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80A19BA47603689715B9A9028FFC7894,SHA256=524D52030095FE3BD215122001FAFF75D68D5391765D41082BCE07BCF68567C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:13.388{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD21-6152-6428-00000000FD01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:13.388{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:13.388{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:13.388{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:13.388{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:13.388{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DD21-6152-6428-00000000FD01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:13.388{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD21-6152-6428-00000000FD01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:13.389{5EBD8912-DD21-6152-6428-00000000FD01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001290198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.643{69CF5F33-DD21-6152-59A1-00000000FD01}38403372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001290197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.565{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38AE1A74871C8A24DD43F506802EAD94,SHA256=FECCDCF03CAF7E6F1E9837BF9EB15DDBF2E0D0FD74783F2892671C3BCB2982FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.424{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD21-6152-59A1-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.424{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.424{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.424{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.424{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.424{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.424{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.424{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.424{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.424{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.424{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DD21-6152-59A1-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.424{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD21-6152-59A1-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.409{69CF5F33-DD21-6152-59A1-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:14.818{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C196839324D495D45255F7E898D4AE,SHA256=C9A9D67968546E4689903AD02B9DEA638F01B5AC85111FA8D5C83766115B430B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.799{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD22-6152-5BA1-00000000FD01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.799{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.799{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.799{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.799{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.799{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.799{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.799{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.799{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.799{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.799{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DD22-6152-5BA1-00000000FD01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.799{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD22-6152-5BA1-00000000FD01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.785{69CF5F33-DD22-6152-5BA1-00000000FD01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001290215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.752{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B302511A664A9C5BD0E9C98A66C15A3E,SHA256=7ECE928E58034817679AAE1DF23706E629B51BA0EE53940A5B577A8BBA2C4B3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.128{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD22-6152-5AA1-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.112{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DD22-6152-5AA1-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.112{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD22-6152-5AA1-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.097{69CF5F33-DD22-6152-5AA1-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001290201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:10.888{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-11073-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:10.858{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-19222-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001383837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:15.848{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C6A19E094063E15EF59CE817C03AB6,SHA256=BEA9562E7B86A39D369DF1BB68E17C7F55ADFF601E2D3E0FF2DFB75E89855C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.815{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF6B851200487F59B0A880156AB631D5,SHA256=D3574CF9D5D482C7FD547214F43781BBD1306183A352B18DE157C4C89EB11225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.033{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D8D05BFC1505F96EF940BA40592553,SHA256=49597670C10067DB8B50E762E6A23C11E4162D0B492B4A6E5550C7C709A6788F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.002{69CF5F33-DD22-6152-5BA1-00000000FD01}19763544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001383847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:16.916{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1EDE24CDF1609717725ACA93DBAFFDE,SHA256=2C61EE7238B54666DECCE9C6499E9CEA4137A14CDFCAD00AE562CDB8065A9920,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:16.869{5EBD8912-DD24-6152-6528-00000000FD01}31086124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:16.647{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD24-6152-6528-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:16.647{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:16.647{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:16.647{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:16.647{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:16.647{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DD24-6152-6528-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:16.647{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD24-6152-6528-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:16.648{5EBD8912-DD24-6152-6528-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001290235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.416{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61649-false10.0.1.12-8000- 354300x80000000000000001290234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.044{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-17074-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:12.042{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26967-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.033{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC424CAC970F2FA09188D3A3189DD64,SHA256=F7EB3545695901FB705F9DA90C28584AFE57A0E6311EEECADFD1826B7FDB0611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:17.917{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162CFEDB2A93AF350C2D43A7A302164F,SHA256=424DDC44ACFD2ABAF74CB9201320287B0F17FD369FA1DD09BE7C05EC27D57A89,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.537{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com12013-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.186{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34949-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:13.142{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-22509-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.033{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17D9CF56CBA6AA6A686F51CB8FD45ACD,SHA256=05DAD7B783948F56AFBFDD2F86080F254E91233EA6B5E4834A766F278E33A9E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.033{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D91211F6FDDC1CDD5FE846C65D0873,SHA256=E3AB95DF0395EAF991440674E22B497BE62371DC68E8824C18B2ABEAC98EC5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:17.669{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82371EACB78AA1E036D0EAC37C2B494B,SHA256=A8FC47D3156FD6F6C6EA453F79A43A7EDE7571AA1A0557BAD686331A9441CF10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:17.485{5EBD8912-DD25-6152-6628-00000000FD01}2966480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:17.316{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD25-6152-6628-00000000FD01}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:17.316{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:17.316{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:17.316{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:17.316{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:17.316{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DD25-6152-6628-00000000FD01}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:17.316{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD25-6152-6628-00000000FD01}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:17.317{5EBD8912-DD25-6152-6628-00000000FD01}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001383848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:17.042{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51401-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:18.931{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B063B0B0C868520583601E4A9D6BA08,SHA256=B8002750D781FF8300392B013A4581D1D24A159272CC218762FB8B253E41DCC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.451{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-29271-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:14.312{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-42998-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:18.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D25F968F9FB0F8054F3512F2391484EF,SHA256=A436D4B14A8829AF21F3800F90DD307DAC88B28ABC4ACB9DAE54C4BCB37AD0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:18.036{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68E10D9C6C4B1C474B610677F4B734C,SHA256=D252654E16E7362A31EDD4A067ED0E4E279D27A5AAB642CFF491A5F83254B16F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:19.946{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4793D7F2A5A2A236EFDACFF247819BC5,SHA256=9BFF82631DC99C86DDE5E8E0E06B26AA6D71E24B37D2E457A17147FABCC0F486,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.165{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38323-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.129{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38139-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.093{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38023-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.071{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-37895-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.050{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-37689-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.014{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-37555-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.992{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-37456-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.970{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-37320-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.948{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-37154-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.913{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-36943-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.876{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-36804-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.852{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-36660-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.830{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-36558-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.808{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-36424-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.786{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-36035-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.746{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35946-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.707{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35877-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.675{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35696-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.641{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35499-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.608{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35388-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:15.421{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-50752-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:19.052{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E904715C1C66220676F24775B10FEEE,SHA256=C055102EAAA98644BB30A7B02AD6759985BFF470029EE6BF3FE627327FEDFA38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:20.965{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921EAB572CFDD726D25F15606F14FC9B,SHA256=8BA2E6BDF84A4F87A4C5AA86A018C31300F86D1B7C39F37F2336285468AD2E32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:20.015{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD28-6152-6728-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:20.015{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DD28-6152-6728-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:20.015{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:20.015{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:20.015{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:20.015{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:20.015{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD28-6152-6728-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:20.015{5EBD8912-DD28-6152-6728-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001290314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.440{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-5866-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.417{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-5637-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.380{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-5388-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.345{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-5206-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.319{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-5067-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.295{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-4878-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.272{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-4718-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.249{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-4545-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.225{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-4336-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.188{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-4199-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.165{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-4053-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.143{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-3813-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.107{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-3654-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.084{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-3482-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.061{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-3325-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.039{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-3134-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.015{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-2850-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.978{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-2699-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.955{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-2392-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.915{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-2086-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.877{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-1856-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.842{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-1694-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.818{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-1483-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.788{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-59966-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.675{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-59536-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.651{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-59381-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.628{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-59206-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.606{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-59039-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.582{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-58754-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.548{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-40371-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.546{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-58592-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.527{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-40249-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.523{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-58404-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.505{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-40138-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.501{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-58230-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.482{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39977-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.459{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39879-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.438{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39770-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.416{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39601-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.382{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39473-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.361{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39371-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.339{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39225-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.317{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38936-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.280{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38739-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.251{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38697-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.210{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38605-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:16.187{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38483-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:20.130{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DCFC4231BEA918018EAB23A6A0654FA,SHA256=82F0052648E739B833376F54B556FCCB28F39FBA522D12146F24568DE36729B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:21.380{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA21EE05C826304140F97C5F772C2C9,SHA256=BB32B0DA8D0EC8C723AFBA09889F3359BF55E83CB1D22FA089D971A3ECA84D6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:18.119{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10686-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:18.096{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10526-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:18.073{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10371-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:18.050{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10227-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:18.027{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10033-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:18.003{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-9842-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.979{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-9666-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.956{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-9375-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.918{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-9236-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.895{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-9051-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.873{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8901-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.850{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8759-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.828{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8630-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.805{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8500-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.782{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8298-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.745{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8177-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.723{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8023-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.699{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-7842-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.675{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-7580-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.638{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-7431-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.615{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-7136-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.576{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-6937-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.575{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61650-false10.0.1.12-8000- 354300x80000000000000001290317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.548{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-6636-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.513{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-6313-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:17.477{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-6037-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001383902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.298{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001383871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:21.030{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A30BB271F37B638D3766B8118539F63,SHA256=C3F5B0154D6CB3839C18746647F654A5A7DF63CC08E82BBB793D60C4AB7EEC15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:22.552{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD2A-6152-5CA1-00000000FD01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:22.552{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DD2A-6152-5CA1-00000000FD01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:22.536{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD2A-6152-5CA1-00000000FD01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:22.536{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:22.536{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:22.536{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:22.536{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:22.536{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:22.536{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:22.536{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:22.536{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:22.536{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:22.523{69CF5F33-DD2A-6152-5CA1-00000000FD01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001290342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:22.364{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD98B72B648738B41E4B60E6DC2BCE77,SHA256=44BD786335C91BA8E324D5A2420C9E364817FC24BFB92EABF99B63AB39EC2371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:22.061{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0801EFDCE5759EF8395A36678CE6C5,SHA256=A8B49A98AE588C0B3CA118B2F780999BCE6C709B0934D5F87276A2EA55081D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:23.536{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0D615892693568D800EEBB587EDFF46,SHA256=6A2213507B961D0C09D6F2D98631C9B5C2E72A1C091B055C845110AA6E487F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:23.536{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C72A285CBAA71B0C04D0796D3548700D,SHA256=3734EEB8E93D5754A457024D7D5962896E8A5EC4D8D59E6755902619C536877B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:23.520{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F161C3790FFB507A90A71349DAEAF3,SHA256=006325FE7B202FB591F65D4CEFF285C0031827A0CEF8D296CCC303066CBE57CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:22.255{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51402-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:23.082{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A06AB178912D5141198221E502478BA,SHA256=411D25AB8C5381CEEC8DF431F32BAE8326B3B407ED15AFC5A1F3D48F2D70E870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:24.536{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26711DAA53CFC9CC02772B5D3FE751B7,SHA256=2DE0938D5C3DB650B2B616206B8BA50542DB7DAB204F2E7D92C1DFA0C0555979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:24.097{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC691073B40A8166125826598170A410,SHA256=76BC81F813327B118AFDF392DBFC209D34919215777744959C66069FEB7179CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:25.552{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=715251583D01A571129936F27A172BA6,SHA256=B1BA82ADAFA3F5E1226AA45AC5372C36E6896EF647238918B4923FB0B9C35CF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:24.582{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse39.103.226.77-65351-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:25.128{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B28E844A9767B3A9DC8AA28AC4D738,SHA256=43394832BE2BDD047222A00BB6E57E1BFCFFD7D08F04D602B254A393FCE900C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:26.567{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FD3156B941896515AAEC66869A40EC,SHA256=6802BD6CB56BECDE4D243D1CCF059F44EB33DD63B6AC8E677125DA3A58130045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:26.162{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4DE9B42A3118D5CC3290F22A76A8F91,SHA256=B27E2A979615E32F704F8CFFE875FCA77B02094C680F5181B8B9BE00A5A04C33,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:22.590{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61651-false10.0.1.12-8000- 23542300x80000000000000001290363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:27.583{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31AD58818A57D61AF5D52E5EFDECCEBF,SHA256=DE549E0802105B4D7889AB563C05DD24CFCDAE099A3FA1FD71E23265DE6485F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:27.181{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D74C988563082F1AAB13DB22313925,SHA256=3D2AED21352A2E944A4872240498B54AFCB55D1A0D451DED8A40672C562D4E18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:28.677{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1000601FB7371D715D63F37A6F49C7E0,SHA256=80FE3C95DC18E6A6B3A0FCCBF7BA115A9494895E458DE247B18DC4A624481FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:28.827{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85390E0ECBD1F0A6E9D6DD73A8282A47,SHA256=CFBB7588D2225BF3ED56556EA47BA23AAF5B1EAA0A030BAD5EB553774B4A940A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:28.827{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=196B272D262E32A0B4553DEF633297AA,SHA256=14B6A64196A68361A5D3B4915D33D0A2C3805AFCE2C538184F51C43A0FD84715,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:28.052{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51403-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:28.195{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC14C60ED12685EBE299DB2F8BB86953,SHA256=7A9FAE2FBE3FEADF6A514CD94AA3282A1541139758E173DB8582D0AC848C6569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:29.911{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D400986D2AC56693608D2CAD0E57850F,SHA256=DA22BD670031E65357F194BF6F2343FF436AB61631ED55E7186B9769C081E352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:29.226{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E1F19899901404487A9EDB7DD73EEB,SHA256=91DAD0B93F7E0D92507AFCE12F6394AB01040E9B2D0253FDF6A67E80512B2D8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:30.259{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF5C16F7843C046CD967EB2B1329563,SHA256=3BA367F86C35CB7C76E175DC6CBB54DAC44BA9D833FCB63AD4F050356DADC69D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:27.606{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61652-false10.0.1.12-8000- 23542300x80000000000000001383917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:31.309{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746B9D7B57C572EF970336D90D4A468D,SHA256=9C0FCAEC1EFEBC8CA0B4E0CB872AD294E8363CB337C15548B8AA0F4BA7FD735B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:31.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94AD2030B2C661810B0A8505F93A3817,SHA256=806FC730B9D5CC72D955FBCBE6DE674FDCECAE01F16ADEF1BEEB863F26D85A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:32.324{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3F5C870173C2D236DF2E22EA099336,SHA256=1943AB25686F5E36006191053EA29D5FD3FF0A16C1547D0DF5C5D65E7DA4E50F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:32.177{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379DBF4683E1B344143129D78D0F03EB,SHA256=0D6CF1A8CF308720CFA734DEF3A4BD69E968282E16D3AF76E92FA9A0A5E0F696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:33.326{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED6D47553337CDE5EDB9932A7D269B6,SHA256=BE15DA78A412A26A739A8BF1BB9B715AD4F6B5F9D227FF21C28A73803FF0546F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:33.192{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3CDC532342C43312EF0941419B4770,SHA256=41CB0148A2700F20A17A4B404F7CEC51FB3E6BE97CEE866CAE89025A2F479E7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:33.250{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51404-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:34.359{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2EA8F7BEEB66125BA0FB53E823F0399,SHA256=7251057C10A6D35A5E0C870F6F1DF00FA177AEC5791E78C0B8DB35C6C240685C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:34.286{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E05C53DABD1A216FB1B6EB466B863F6A,SHA256=4976F9FA9F2E66BEBD4A4AF62C2D203619B73C76D0ED683C46201E79B46231F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:35.393{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE618F60F9DCAC304F41C15F134AD1A9,SHA256=E4B1B505A5ABFFD89239D6D76AA4A2A21DB3B3A1D793560553E27C6E0AF34E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:35.317{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE076F3275BEF2FB3508CCE5C5CBB81D,SHA256=9E9D905FFB479B02F8022051E8812A91FCA2F859CD559DE1C4CC6CE1407D6C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:36.333{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E686B70CC498D3C5C7A51C93E77680,SHA256=1A0216D38197BBD1172A51766D7A84E0D73BD73DC03D19EFF72E2EC30F04BB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:36.407{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F44A9317089D7478F7CA6610267EBEA,SHA256=78B88727DEB283EEB0C8128D817F4347C6A5D9B1B6AE48C05FC8C1EE65731B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:37.348{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FD7B699CD64F70A63C953149C38E4D,SHA256=186B36C6B5E62581CCFA63D961CBB5DD4699C8D6D778C7F0E6FC3BF807B151F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:37.422{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3070569B897DC9B2CE520CE4F2C8C5FF,SHA256=6DBB8CDE65FE37DE5FF63892DA87E566AB185AF39E4B1598C24F613C8177ED3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:33.575{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61653-false10.0.1.12-8000- 23542300x80000000000000001290375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:38.351{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26070E94AE3575238776FE9AB93C6317,SHA256=A0BBA0006A25ED12D95494F62CE5D8D74625965578A78FCF0C89305A9A3AA245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:38.437{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B4C0AF85B78D744D1A9F4D84D0D12C,SHA256=076ADA887F446EFD3300A5D1C1E96E6B4D5ABBA1A47CE8FA865A35CC0DE7C648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:39.367{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C83252BEEDC9E478659405BEA54C1C8,SHA256=B8F890FB83D827816C0FCAF50C106B3D41E90928FAA871A9FE78326B2C37E0DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:39.116{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51405-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:39.453{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087A3B1941EDB9E6DF99392093E6664A,SHA256=C1470D22AA7BF9443CD4570A813DDDE30D89234C2F7108A927A394F235B5AC21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:40.503{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FE55E0057F5120AD26458950C9E2B9,SHA256=1813C86DE6F15EC3BC23D9BE9CD265E7848456EDB0C1BBBF05477637980898FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:40.382{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5399F60A89E242A79809C0F1AE8ADBE4,SHA256=44709EC6E425800A40D4C71CA918B65E219B63F8C8D6C2A9C86DD1D275BA58B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:41.382{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9435398441C6EFBAE8D4E898801E2FB3,SHA256=3AD90CE1EC32F4B45650850247D89B453A13B03CFAE68FDA360337C996DC5D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:41.504{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BE8C42EBD7F09C28CF83AEFF443DE5,SHA256=E95EA3E571F7855043F513420CCF1AA4F65A9B3C9DA7A406E2F3CA4D41227198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:42.398{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99F07EB8FD0D9B9E529B78942A351A6,SHA256=A2C587994FA744E79CD0427673DC44F85D8BA47B2A7C776AC0FE8A17172A00D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:42.534{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA3C2620D46853FD46C9F12DB2E716C4,SHA256=211048C0DEA70FF7B2E22AA969627A8241D31A2C0197ECF8CD64E46C7026864D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:43.413{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8AAD2CF34E8EE5D333EA9F8E5BDE1B,SHA256=0418CE6C2BDCBEAE73551F3B2D295478F04AF50EE17B31F9901DEF277FE940AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:43.029{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51406-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001383934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:43.029{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51406-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001383933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:43.555{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58497565A51BF1161127EF39BD01C913,SHA256=77FA06489F35C14E073205F07F2E0CC4CF4523578AD4BEB88372C16DC60DED19,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:39.453{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61654-false10.0.1.12-8000- 23542300x80000000000000001383932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:43.054{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F714E47AD821B104FECBAA6A45D76D7,SHA256=9CC159FD97163E80D0F91686375364FBCED29CA7F0D547D774F6A2D8BFC58A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:43.053{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85390E0ECBD1F0A6E9D6DD73A8282A47,SHA256=CFBB7588D2225BF3ED56556EA47BA23AAF5B1EAA0A030BAD5EB553774B4A940A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:44.227{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51407-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:44.569{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641826D60761FDB7710B7A226E6A55CD,SHA256=783AEB31F18F0E01045A78C6E38683033D9CDAE7C5DD0190210B042D06817A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:44.429{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4B2EB8F4EB35ECFA5D7D7EDC731A51,SHA256=FE040A228CF8DC38B99BD07F698526A092E34EFA18721CFB3048BFE322B6C0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:44.304{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E274149F836F2CCDAB2D62DB681C71B3,SHA256=DB037C4C2D33444F577520ACFEF6C679AD54AF2C66EC14850E9AA3688D84A547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:45.429{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8270513683C4BAF22FA2514EAB63C919,SHA256=B9F1778669222B4AFB7E3BBA48F5C7D612CFA75C1886214D143F6D45895666E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:45.570{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2DA29713C93E376A6134F07A4B68752,SHA256=5BFFD4EA6DCEBA4CCDCF9BB1CA8E39D41B1B2DB107ED5CBADFAD91FF4A9C1638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:46.600{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47ED760DB4D11B6A3CEDD223875CEBA7,SHA256=4868AC75AF7907247659E3CB8DEB8E44AF7A7FF20D5B9AC66AF313348775DDA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:46.445{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B3199F1CD243D7C278475575094CC4,SHA256=F1BEC7575F133274A184DCDC45D22952732C7C302047E9150A13D0262DEC85ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:47.630{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:47.630{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051EEA5C0A3D4848C4C579EC43B7491C,SHA256=DA61C99FC19D370C1D31D00EB634C3D656CA94995084935F2E6947FDA9A13E04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:44.003{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com59467-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:47.460{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C924270AA15AC515D120CAC95D29E6,SHA256=1457F97C3337D47040CB672FCC6E3434F149012F59FA2A9122D7DDB6D62390E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:47.132{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D72BD378E7B4A947AE1DC1BBD38891E,SHA256=641C1DE8C341C1BFB37CF19194A8476A2DB60550D1757854756904B9858A1DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:47.132{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0D615892693568D800EEBB587EDFF46,SHA256=6A2213507B961D0C09D6F2D98631C9B5C2E72A1C091B055C845110AA6E487F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:47.117{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:48.610{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51408-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001383942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:48.649{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=782D6CA78BB515C878BD3ACA115D225B,SHA256=E7088D2CF4D4FF5333248D24BED4A99D764A0216A5A0F7B6441C142BA2D0D24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:48.460{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6BC160A7B3C5F336D77CB8CC54B231,SHA256=D3A80A6B6A772760F20C048EC860F80D7618AC7733B91BCF4BBEF576B8DB5E7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:44.593{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61655-false10.0.1.12-8000- 23542300x80000000000000001383944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:49.666{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C29A2262AA04EBDFE22590D6A2EF3B,SHA256=28519191EEC5F2754360F57ABC4187A600E3C97BA18FEE6773E007A334E63D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:49.476{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34D9B15F3881048F31579EB26D452BA,SHA256=8B50647CCD3551EAF135C2C859A3B7575203053238BF76E79EB3FE8BE127B8F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:45.454{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61656-false10.0.1.12-8089- 354300x80000000000000001383946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:50.192{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51409-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:50.681{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC00703EED75FD304B86C7C15351E36,SHA256=B4CD0EDA9F78770C76602E2F924C54044BCCDAF4A2741A5840D03B738C8F8E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:50.492{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736788A606C78121FB06843582BB7871,SHA256=A75658DE8F6CD1B642726BAEE0208517A4741B997B56EFC29EF61F65612CFC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:51.696{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFED9D6EEDFABBB1B0CA1BBAB2D3EC04,SHA256=3D2C4C2175EAA2EB701F77C034B341BEA59621D5FD75FE56340EC291D7870BE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:51.492{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A56826A672EA1F30E6BD9473429EB6,SHA256=1B3288D5C127E143104A06E930B4C32FC23271B074CC6902C5E75BFECC036B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:52.710{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B98EBD8248A2A38F4157A2984D5E10,SHA256=9EAA407F169DA76F5F9AA9D737F6E160BBE1521F54FD8659500E2B5CEF1AFF6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:52.507{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E031B267142A77E25144CAAD1C7F27B8,SHA256=8589C74C5992F5F36B656F798A8DD1BC28EAD252B58A509231188C0E42678125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:53.507{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=538E4742795B203F9F93623369E579E6,SHA256=658505F8887A3BC57A6AC1514BA7B29923ADFFB47525DC063EEC0A7CA1D9663D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:53.743{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=904D3AC7EA703F92CEC1EC2D1AC38C4D,SHA256=81DA2CAB7C35AF859F6FC42BEBC4565F817EA68C7F7F561ED09FF22EBEC5EFA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:54.761{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD95D9520107533D80F6CEFA400F6523,SHA256=1347251F778FD3E14E8CAFAB23204D2E408FA85AF31039FFDFAF9292B040A532,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:50.437{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61657-false10.0.1.12-8000- 23542300x80000000000000001290399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:54.523{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36B2E2D526D4993B8E1F6EACAF01789,SHA256=D74689949D470A19671C17E55D9A9E317D15632E962F591A60422FB840DDD27C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:55.807{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F071FC175BDD8A8A474E61A111B5B105,SHA256=AC9961532BF332344CF7D7742C113FC49B00CB62766E831EDD068F4E5E1726CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:55.523{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064323999FBC148B4DB0740B1D3856AE,SHA256=5B7FC139615F99CBB2E958E7B41249425BCF0BB826976E219483E78CAD5E733E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:56.523{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159408078927D52D4FC2F79E91B9E064,SHA256=FCA170A4BF3B970B00EEA32399AD8964EC13AAC9542200B4A041E231B4965A77,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:56.155{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51410-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001383955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:56.024{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com42502-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001383954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:56.822{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295918A4B26735DE86E9681B7EE9699F,SHA256=767D64596D0077A02939820C36417AA97062D76985C4E5A883E994CCF04249AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:56.659{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=992BC4CAE8810E3A7271F86D4D9736CE,SHA256=739CA6793FA4D8D2D3F20DEBCD1F3A827252259B9CE3B26F6D3F4F9AA6B1B29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:56.659{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F714E47AD821B104FECBAA6A45D76D7,SHA256=9CC159FD97163E80D0F91686375364FBCED29CA7F0D547D774F6A2D8BFC58A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:57.538{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1B0B53063B01333BC43E6C53CC5CAA,SHA256=4BF84223C263783BA6269AC52B3266593123FC7FBF91A4C74FDEB5E926DDC071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:57.859{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9EF213238B853C3868E44186646079,SHA256=799B000750ADBAE44E55FAAF87807F05BABE67B516BB4D969B693949FB4D67E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:58.905{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B52A7017EFAA3AC45A4A4C337BAE08B,SHA256=EFF88571F894C734790A0C1CA7048600DC6CDD9FB0EDD5E4EFC082FFB4EA4CB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:58.554{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE1AA2D41721A39908C1DB82EE37F8B,SHA256=D967E8DEF4F8DFF0575F52676A11C0E0A11F11B0128F9D829DCD794CAD68407E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:15:59.921{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354B3C14A657A3B97821C1E9AABF9DC3,SHA256=F9BE8E2A77B78EDF80C6F8C799ADD47457F80A234DF037D0981F7B2D8410682A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:59.554{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38FD977089167EA89BE5710555DAD12D,SHA256=7C93C25B65852AFD84966B27B0534AF0E8C638C803AFB926056EA9F6BCCC49D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:00.938{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5197635643A0B620E6D431F554A8980,SHA256=1B1422AE8BC052E9808A68CB8F3FB284EEC07CC7BA711D83B9E78B58AA867DC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:15:56.455{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61658-false10.0.1.12-8000- 23542300x80000000000000001290406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:00.570{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A04C954994285C5C224BEB9D696E77,SHA256=83282741A5D9E8414A4D089D9BA04204DD1003C370EC5D92FF15E34ECE91268E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:00.758{5EBD8912-8CBF-6151-0D00-00000000FD01}9007116C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001290409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:01.730{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420FAF51BAE444564794C4FA598126EB,SHA256=B9F8032D25796E296666A21640CC505D6D7B1880DBA933DAB1FF9EB71EB0B5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:01.107{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5716MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:02.732{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306D3668EF89D6D8A8FE695F1812E02B,SHA256=710D98BE3B0601CDED7520C09F8A04DCF1A304F2FB999B2214660B61CEB57547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:02.004{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67330CC79689C1BA194A449D399DF18,SHA256=5C258CF89E8CD18D98C3347005CFBE231B2FB63ABF317A291DB4C2018CFADB47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:02.106{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5717MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:03.966{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9FA94F8DA2B12E9F5382D28286CE7BE,SHA256=C9C31F82BA158BDF62E03E72A2BE618C376DC7C7D8549BF0CC1EA1A11BC1EC6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:02.168{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51411-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:03.019{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B811FC5200764A156A8FD5045446D9C,SHA256=BC29AA9CED222F4D7153220527C8878EDED9E7E01B43B2973F04014B3946084D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:04.122{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1399MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:04.038{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF258000A68BA9BFE63426F9F576803,SHA256=C39BC41575907EA9856C6289911B64271A5F7A6862C4ED2842261CCB48737D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:05.044{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA127003858511F8BFC4EE611FEE85BF,SHA256=5C8B54BABE9EBBC5EA7CB4608C647F2A321A9E734CEDDCBC72A5BF7EB3FF7271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:05.135{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1400MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:05.061{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73D74773FC372B6A19D2103D9EC56B3,SHA256=99265E37F2700F3695C85A9F5A91E61320BADBC9FE6357BB05758BD83D428D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:06.247{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD8E31DF8D910EDFBEC0260715759C8,SHA256=C9DFB928BA65FBE504866D62A07F32FE92DA74B29A343D588AB39F06CB912AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:06.117{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B72780F51F485EE5EE7CE58926F8038,SHA256=E57D41F46500470556F40524B5502797D83D83659AD2A752D50C95D4F709C7C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:02.395{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61659-false10.0.1.12-8000- 23542300x80000000000000001290416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:07.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE08B273348034B50328443952BE29B,SHA256=94F8C1792D9C359A403C1463C9AFFDBF5AA4484A12DABE56E06FBBB33580AB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:07.136{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94E6E388C966D841CD2B6E84C0959D7,SHA256=57AFDA3455E307AFF25872BA9F4976ECF06B6CAE79CD9708FFA14E5915D02736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:08.168{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=430F6352E7E19E27637F8DB21AA74D0C,SHA256=BF508F896B27BC36670D03C65F4871219EB01D481936BBA3A78F2B1E4D7888A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:08.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E9D40049E1282BDD7C02C66751D205,SHA256=4384A4739FD8431EDA31C4C3DE5457C320F00AE068465F3463C255AC6A56F38D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:09.716{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04C44BB83680AFC1B1FBD6EF5214042F,SHA256=698530545D6C636709768EFA8BB1F8A3D5E2535284F2BCC241BB3A9712F83510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:09.716{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D72BD378E7B4A947AE1DC1BBD38891E,SHA256=641C1DE8C341C1BFB37CF19194A8476A2DB60550D1757854756904B9858A1DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:09.294{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE95A137356859A5C8C80187C0D10877,SHA256=64EB56E63CD09E04F1EF8FF026679B8AC31D2774FF3EBD310CC948974B2B0A54,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001383973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:08.129{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51412-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001383972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:09.184{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880616F0F2A3D8E71F9874B25FBF5780,SHA256=916736DCE00C4F2CC9BF48CBAE5AB7BDBA6721AEACF536BE0DFB7B8BADF2719C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:10.888{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04C44BB83680AFC1B1FBD6EF5214042F,SHA256=698530545D6C636709768EFA8BB1F8A3D5E2535284F2BCC241BB3A9712F83510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:10.310{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12DEC99E99EAE7A86AB4BFDBD624A636,SHA256=5EE6D54338A9029444D233F70BE3676FA3B3191CA4AF50159730A73A114255D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.867{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD5A-6152-6928-00000000FD01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.867{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.867{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.867{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.867{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.867{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DD5A-6152-6928-00000000FD01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.867{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD5A-6152-6928-00000000FD01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.868{5EBD8912-DD5A-6152-6928-00000000FD01}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.830{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B9F7B3F7868EA687C51C8A48DECB69C1,SHA256=72009E1125C99ABD9534C94A8739B62FFDBDF71B7927FA1B9D3943C3BFE75D49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.198{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736662E5895CD9869A03561B5D76DA17,SHA256=AA631BB19BF3A8496C044EA088449F2697F94DB757AFA58D61558773934759BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:07.057{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61660-false10.0.1.14-49672- 354300x80000000000000001290422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:07.014{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-59098-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:06.994{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-58934-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001383982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.183{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD5A-6152-6828-00000000FD01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.183{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.183{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.183{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.183{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.183{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DD5A-6152-6828-00000000FD01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001383976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.183{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD5A-6152-6828-00000000FD01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:10.183{5EBD8912-DD5A-6152-6828-00000000FD01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001383974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:09.740{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261660-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001290443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.982{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=550217A5A159261501CE8DBE06FC312D,SHA256=900F4431E0CCBED035D0A4A11D7B2E8F85BF45F7662DC1282EDF4F98AFFE782A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.560{69CF5F33-DD5B-6152-5DA1-00000000FD01}22763268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.372{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD5B-6152-5DA1-00000000FD01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.372{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.372{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.372{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.372{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.372{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.372{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.372{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.372{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.372{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.372{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DD5B-6152-5DA1-00000000FD01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.372{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD5B-6152-5DA1-00000000FD01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.357{69CF5F33-DD5B-6152-5DA1-00000000FD01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001290428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.357{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88C8E5B7767E50CD7F55BB42696C9CD5,SHA256=B9DBF8CC9B272F757299257B76F159E5C753DD80F5C3296CB29A440BDA4AFD2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:11.251{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556E002E94F210A3BACBD4E9AEE6BFE7,SHA256=59B3A88E6CC3E1585C343B3D6B84A990CB5BBD3BF8CB5FD1284992E733639B12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:08.163{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-4395-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:07.599{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61661-false10.0.1.12-8000- 23542300x80000000000000001383995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:11.198{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB71C999CD31993616D8F0A148D6DA9F,SHA256=457A69801F383800DE0DC389F32AE085AEFAB0BAD7A1BCA2074F976C2B7114F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001383994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:11.198{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=992BC4CAE8810E3A7271F86D4D9736CE,SHA256=739CA6793FA4D8D2D3F20DEBCD1F3A827252259B9CE3B26F6D3F4F9AA6B1B29B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001383993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:11.032{5EBD8912-DD5A-6152-6928-00000000FD01}55606920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.654{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD5C-6152-5FA1-00000000FD01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.654{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.654{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.654{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.654{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DD5C-6152-5FA1-00000000FD01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.654{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.654{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.654{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.654{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.654{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD5C-6152-5FA1-00000000FD01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.654{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.654{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.625{69CF5F33-DD5C-6152-5FA1-00000000FD01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001290458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E6EF5C7303BA7A4DA85F176482CAB8,SHA256=88A380B091378188FF4AD9748ACB5556EFC44703C51D0B471F7B5985110C3DFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:12.734{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD5C-6152-6A28-00000000FD01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:12.734{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:12.734{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:12.734{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:12.734{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:12.734{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DD5C-6152-6A28-00000000FD01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:12.734{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD5C-6152-6A28-00000000FD01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001383999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:12.728{5EBD8912-DD5C-6152-6A28-00000000FD01}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001383998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:12.266{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D8FF2868965960D6B23E5C5772D705,SHA256=CA78B1915A3D0105E1C970F87A2BE7AFD6E5C36D31D845F23398F7C1E87D733F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.310{69CF5F33-DD5B-6152-5EA1-00000000FD01}19001980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.013{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD5B-6152-5EA1-00000000FD01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.013{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.013{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.013{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.013{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.013{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.013{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.013{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.013{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.013{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.013{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DD5B-6152-5EA1-00000000FD01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.013{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD5B-6152-5EA1-00000000FD01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.998{69CF5F33-DD5B-6152-5EA1-00000000FD01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001383997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:11.166{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse39.101.135.90-57568-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001290501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.903{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD5D-6152-61A1-00000000FD01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.903{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.903{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.903{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.903{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.903{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.903{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.903{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.903{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.903{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.903{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DD5D-6152-61A1-00000000FD01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.903{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD5D-6152-61A1-00000000FD01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.890{69CF5F33-DD5D-6152-61A1-00000000FD01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001290488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.888{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83ABB9EFA7CC592B18D06974A57C4E0,SHA256=7DE457B69FDCCFC0951621C208CAF19787C72D16016ADB243807451DD78EBE3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:13.748{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB71C999CD31993616D8F0A148D6DA9F,SHA256=457A69801F383800DE0DC389F32AE085AEFAB0BAD7A1BCA2074F976C2B7114F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:13.548{5EBD8912-DD5D-6152-6B28-00000000FD01}42606988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:13.411{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD5D-6152-6B28-00000000FD01}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:13.411{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:13.411{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:13.411{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:13.411{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:13.411{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DD5D-6152-6B28-00000000FD01}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:13.411{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD5D-6152-6B28-00000000FD01}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:13.412{5EBD8912-DD5D-6152-6B28-00000000FD01}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001384007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:13.296{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D57435F6028DE2A6EB891396413E582,SHA256=C061BAA2BF68C8E7036D24CAB3A26915E5B1E7E60AAF48DAA56E56DAC6A814F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.482{69CF5F33-DD5D-6152-60A1-00000000FD01}31441616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001290486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:09.271{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-8657-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001290485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.278{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD5D-6152-60A1-00000000FD01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.278{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.278{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.278{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.278{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.278{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.278{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.278{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.278{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.278{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.278{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DD5D-6152-60A1-00000000FD01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.278{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD5D-6152-60A1-00000000FD01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.264{69CF5F33-DD5D-6152-60A1-00000000FD01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001290472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.044{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E7896813C65ED5EBBFD709633D6BFB4,SHA256=94BA85C3FEE78D7D0A86271625D65417EAF6B5D8437B7F764EB07EE1579CC6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:14.331{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285ED4505FE9A254071993504A94A369,SHA256=B1FC77ABCD944F15519821F9B11C572024BD378222FBB22A61240F8F177397FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:14.795{69CF5F33-DD5E-6152-62A1-00000000FD01}36403592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:14.528{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD5E-6152-62A1-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:14.528{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:14.528{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:14.528{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:14.528{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:14.528{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:14.528{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:14.528{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:14.528{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:14.528{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:14.528{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DD5E-6152-62A1-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:14.528{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD5E-6152-62A1-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:14.514{69CF5F33-DD5E-6152-62A1-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001290504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:11.537{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-17370-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:10.380{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-12988-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:14.247{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA29496A192FCA88AFA389B2D9397F77,SHA256=A21B873DA8EBB5DC686C8C56A72462AE5A958034AF4A689CCE47A3F69996CEB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:14.059{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51413-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001290520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:15.450{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18FF4DB46494CB558C432B39F139901A,SHA256=909BDF102C64A3A5425006CDABF4AAC04867598AA379B91DE60620B13A60628F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:15.122{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F8A632AE134E093AED5C54B336BE56,SHA256=33A9A5034ED276F22CBDB8812BD55A3C74D417B0BB81FDD65812FDA0655BCFB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:15.362{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E6A435247836B5A777B71576FA053C,SHA256=DD74542206F89589C90940C13A24843A2D7802A87507D0885621117FD8F6BD25,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.427{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61662-false10.0.1.12-8000- 354300x80000000000000001290523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:12.631{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21535-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:16.560{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5EC232B182F8D94FBCDA49952748E3C,SHA256=CB14818E6EFCCC6F786A1C0CE36CC40674E0BD393A7286527730D7FE0AA6D564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:16.138{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78AE21B1B810B890C14AED60E5F2E7AA,SHA256=F287B13E92EEB81F4A38CC4E270BFC1A7BBB9D6959A68B2C578CE92FC67D07E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:16.808{5EBD8912-DD60-6152-6C28-00000000FD01}58246212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:16.692{5EBD8912-8CBD-6151-0B00-00000000FD01}640584C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001384029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:16.645{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD60-6152-6C28-00000000FD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:16.645{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:16.645{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:16.645{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:16.645{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:16.645{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DD60-6152-6C28-00000000FD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:16.645{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD60-6152-6C28-00000000FD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:16.646{5EBD8912-DD60-6152-6C28-00000000FD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001384021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:16.426{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332E7C6913E271F82B62793BEC973604,SHA256=BDE59CB3B54B0DA8047401BB02EF9134E4CAAD9EDD17F71F325BCE116879C5B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:13.830{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-26031-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:17.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7FEC01C25A93E43FFDCE31612B11B6B,SHA256=90320971B956E44C589E80005397D7E789F68C084A0BFC189467DB9DE339E5E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:17.341{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BD9A6B72EBC862D6784C1F788E2F6E,SHA256=B05ABC3187D295B212C543B7F6B3C1033958C054F9657E43212AF22D551A1CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:17.760{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50BA2AA30159C7CD7C206E84305D78D6,SHA256=4F09F2257B8BA966CF139D962766FA12B20B018B47FB3C33AA5B420E46B89A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:17.461{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD465D1E5C9688141E94F1537683731,SHA256=697662079BB4074DA4C5F4A93D267E0E82F924AE829053F51A356930E7248EAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:17.408{5EBD8912-DD61-6152-6D28-00000000FD01}64845660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:17.244{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD61-6152-6D28-00000000FD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:17.244{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:17.244{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:17.244{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:17.244{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:17.244{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DD61-6152-6D28-00000000FD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:17.244{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD61-6152-6D28-00000000FD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:17.245{5EBD8912-DD61-6152-6D28-00000000FD01}6484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001290530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:18.856{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA99FAAB022FB22FA1A7EC99EB498A5A,SHA256=9C9129A5C51C813F6FBAB9D012AF611DF102D3B3445D94B358882903EEAB8D44,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:14.939{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-30474-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:18.481{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5EB4EA21959DD72EFE32471DC75ECEC,SHA256=F895C44B01AD6A321D4FB2336067310E762F1FF5BECCB7A1585C1C161A98C348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:18.507{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25209CCDF89A723156094773EED96FD6,SHA256=E8FE0CD4031899EF8A187ED7E827A0A83C78278DBE50E32AEF07EEDE7E2CEBAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:17.691{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51416-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001384047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:17.691{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51416-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001384046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:17.582{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local51415-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001384045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:17.582{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51415-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001384044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:17.574{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51414-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001384043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:17.574{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51414-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001290533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:19.918{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=317D4D9B48080E4D47B109BD0FFAA322,SHA256=DFD7A3B9C9C3AE7C419B0393E316E4E47DC50D56FCA03BE7CF4E0343D400FE84,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:16.158{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-35301-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:19.700{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00395D6691E88F230671CD05B33F5713,SHA256=8A742BEF7A6D52830CA5183807E9DC0D356B413F5CE1A7E309FDA8105CADA0DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:19.543{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA915E2FD6C2E9CB8B19F9CD4DA6B51,SHA256=CC9FE6FEBCE4417F9EA45B9BF4BF6FBE8876F778807D0EC930F597E23CE10EA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:17.224{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-39341-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:20.762{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E0269CBE8571C3DCF657542CE7B6D8,SHA256=511CE29D8CCA9A20CF207E5CD095E8BF983FD1B0BA5CF21FACD1FFCBF2356E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:20.573{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3EEDAA13821BE872A4CDF9E291D0916,SHA256=73495A297867CAE5FD0872D1167696C112C83081B79E1C71635F490B6A0B7F04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:20.100{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51417-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001384058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:20.005{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD64-6152-6E28-00000000FD01}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:20.005{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:20.005{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:20.005{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:20.005{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:20.005{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DD64-6152-6E28-00000000FD01}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:20.005{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD64-6152-6E28-00000000FD01}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:20.006{5EBD8912-DD64-6152-6E28-00000000FD01}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001290537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:21.778{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F206D3F6D86F63DA8452B774224017,SHA256=1785DFF6DCED347E2C044B3D8FD66DFA8A851E3C4185A38587884109FFD95E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:21.603{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E832F343F4BECD3F3B5C77CFCDFD0F86,SHA256=FB4A578A70D89FA5A23D813D6FB3A4B42C6C7A88A6A6FF306F01A7C88F629FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:20.996{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51894A16214CE4C1C85EEA110B714431,SHA256=DD3E64F74126A8D0397FEBDEE269826BE5AA38EF66B6FE32F05CCF6AE59DDD08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:21.026{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=624F9BF9D2704A23ED2058AC667FD2E5,SHA256=E1961562DD9713C826C76C0DE138E500D90E088B0EF3AF7E9A7A830B89FAC5BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:19.410{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61663-false10.0.1.12-8000- 354300x80000000000000001290554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:19.385{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47892-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:18.286{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-43696-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:22.793{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271F553D97967C99C609000227CFEE89,SHA256=1EDC18379168A28C377F625A64F348CA865DA748CB090507B580C1116A604973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:22.621{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4623D5563884DEF8DF23965C29F33C8F,SHA256=61676CEDBAABD8F6051814B65F6006B89B8AB1EEB31A44CB0F346CD78F1BA0BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:22.450{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD66-6152-63A1-00000000FD01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:22.450{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:22.450{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:22.450{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:22.450{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:22.450{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:22.450{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:22.450{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:22.450{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:22.450{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:22.450{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DD66-6152-63A1-00000000FD01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:22.450{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD66-6152-63A1-00000000FD01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:22.435{69CF5F33-DD66-6152-63A1-00000000FD01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001290538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:22.200{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FEB9B02929A0DC395A3E7AF19BE86A7,SHA256=2125EE28B085F5E8BFEF3A43580C644FFBC167F15129346375DDCE2A5EE34A80,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:21.679{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse2.57.122.204-6811-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:23.639{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5510ABB4EFAA65B07A45790787933C8,SHA256=C8AF403E7A7C65BBCCE125131C28C5EEFD1924035100A225B4E9362BFD81C2CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:23.278{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B871E595A4FB0C79E71AD15400F6373,SHA256=F862EB065D58DC01FF1756D03551227C8A8C5E4547E98CD54B092E6B1E95833C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:24.669{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB4149058433009D064289F97D57AFF,SHA256=2AE3A7118C4E4F3119ACE8BC29ACED9B5E493F8B03D1CBEE27BC243B055A41AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:24.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=601EC7FEC46B93ABCC2F9C05B8455FF2,SHA256=94B39E5EF3AC21DC216933DAE9358DDFA85453F71B117340D55A3B1A599E886F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:24.028{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4693E3158FD31DF8727862E7F870DC,SHA256=9829BE2DE551855D43DFADFE725F1C78FFCFF031D1D4536F5A13B4623677FD25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:25.683{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D4B8A027EB92EEF54B2C1EC27675FC,SHA256=50B06E331FBCEE1D00EF0310A92610B70F349CAEEE401B01A9B64E938F1D9F71,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:25.111{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51418-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001290561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:25.465{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81171E01541C18CD5E2199CFCA611A76,SHA256=597855022F6889B0B3FD7536D696B4294835AD06B1490D1A274127E8C88BF9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:25.075{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B872598045557F7930D476AA21F94CA,SHA256=A8D4A922474EA7DB4A92031706305F1D77FB9A6A9A4137085DC47AB043F11968,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:20.577{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-52435-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001384069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:26.697{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D723EF2D7209C721F06B88833DE55324,SHA256=4EC8BF372D1B40AE82A24FD37D1DEF0AFDA046D70DCC661CC6AF777D57F1948C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:26.528{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C0E65BAEB9D67F533752BE635F3D80B,SHA256=6E4895D056BDD2627E850F2B6D4877B5C50943BFA6B20EA134570C195B6242F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:21.662{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56739-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:26.075{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009F41DE1FCE89DFA3F1820C090DE700,SHA256=EF640A08291BA399C7BA005047FAC51A219BB669C05126A8F814865E346C5D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:27.714{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A360226A60F59CB556A28077EA684D,SHA256=5E58ABC9010518FFBF68852BF107E925B8A61C5693DC47D75A9F3AD2C830E9F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:27.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D80AED7B5FF644471FB6895B0397A6F,SHA256=D2D3CEB5B5B30F6CCFCA3147DE5D0D66ADA8F425EA57647077C088EB0DC100A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:23.833{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-6381-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:22.755{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-2257-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:27.090{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2586488C1A0E7272C233CA5E5C1F81,SHA256=C1583D1FD147DB0CA067D13EC6C2924A37370DBA6151DA4A3D5BCED8EA73826D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:28.734{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D91AD9FCDFDC3E72404EEA1FD99AA7,SHA256=70A1CADD0FBD3D2DF61F247FF342148598929D498C585EC360769E3E70006A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:28.856{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3088F3202F96030CF845F9CD5882FF1E,SHA256=71ED13714FE5B4BED102E401B316EB3563CF4A5669682535E2601941C5C8F57D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:24.520{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61664-false10.0.1.12-8000- 23542300x80000000000000001290569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:28.106{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B336CDC12C8069B89FA09C740DB57614,SHA256=B4D5B9528C80B443B2240BB4ECAC07202F9833CA0232FA27211E8DD75370EADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:28.465{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6FF685342D342516AE6F6E4B189EEAA,SHA256=554800E68186141777D79F41C79CACCC9376E98D5C262033C7573DD4C830B98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:28.465{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7C5C05C16D5FA25F34286422185821F,SHA256=D0D85FFB8DA1C8F82091E505E03402D7F0A1A8AC88325D38B886DC779AD69AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:29.795{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8970BD475FD7D0C3EBBFA71D4A715245,SHA256=26B073B70705BA98DF8A6866ECEB51D1502537A11B4E303D955F565E44F2B36A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:29.934{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6DF9A2AECE2F37E95A0C998D10F2CD7,SHA256=204644DBA15371CB6DBBC62790E44B3FCBD1D20BE5CDE64D624BE85353ABC47D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:26.145{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-15180-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:24.923{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-10437-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:29.106{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E70E5834FA03558DF017D9ABF9C036B,SHA256=17C1C59D7AED822255BDD5764DEF7CDC80EAF2453339A825EEFABD41003E2B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:30.812{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=360D0C0C9FA591A306CBA14C5B8F811E,SHA256=7173F500847D839DBB3921878D4AE48F200D4DF119D76A097D28521A769D4190,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:27.224{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-19094-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:30.340{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C9B00F2D849765A3EF1E395CEC5083,SHA256=CD4FF782CC0073B7529FCAAAC0C323CEA3DF0446D0ABDAFC0AE340693F06BC1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:31.105{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51419-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:31.831{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A107795802109B8CCAB9A5E1E53C328,SHA256=B2E9E6EFCBA5FF27A821DBC8D9BD05C98AE6D428E4FA6D8D14769C2E72A8A13E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:31.574{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B721CD5873961C945529764DF980AD,SHA256=14AD24FAF7F2A5198CAA48FD271314B45C74007B2F150D125000D5D45AF25144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:31.153{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92F156C1746F60AAB18D97C1F1F789D8,SHA256=560F1E577580E702E9DAF56F70750AF9BB90AF3C7F87C6C73A35D681438AFB74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:32.845{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB42A1D7920F3E33CC30B5E7D352F68,SHA256=9D70610AC406411FD9B8B55E287FC20B04F07155BDC264C0CBAA36B07781AC88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:32.684{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473E97F35A6D157798A65BC1B10CA96D,SHA256=EDF6DB6D9A161CE884A09AF66D155E961AA8A9CAD048F9B69405F0981696776D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:29.521{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-27712-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:28.407{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23304-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:32.215{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9A0CB2128AB97AD67220B82894A54E8,SHA256=9954B2384F5E8D52BF005E44D55F2EA900E8AC762DF0A3A95E333F64C6DC2233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:33.840{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A778DA5E1A4DC9855900ED9441133AA1,SHA256=B64841F1DEA514DE48ACA554F375F8C9D2A2D5F9E218C885FFB7F87509F28CCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:33.860{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861D464821D38CC7E51DC16521CFEBDA,SHA256=D849C9FF2A829FC74647CC10C2BB10A211B021C6A901593B6F1EFE9B76DF6D7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:30.535{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61665-false10.0.1.12-8000- 23542300x80000000000000001290584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:33.340{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E96C4918541991126FF57AA1902272AA,SHA256=07B76F26531338DABFCC765F072A493742DA0DB8B75D610B94F33F50ED47306B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:34.856{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E896A9B3DB5A52846691D8096D513C7,SHA256=4D576A5369B0CA1DB60CCCBF7BCC8770A93AF1D921B4976E9B9D11B54D71781F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:34.890{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409B83548AD3A3632ACAF7A02F747800,SHA256=F38B85F11E4185C30207CF17A0D240946D78536F197400AE02127EC438649539,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:30.613{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-32124-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:34.528{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3758D70568607EF3FAF00D0825DEEF65,SHA256=FC709718F6501DE0E08A700D8C84D18303D31D7C6ED98F1E88B5E7F31A454C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:35.906{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7ACD8DF7CD77707A1D17050539D9C4B,SHA256=5AE041768716D321C40275869645B3CD94302D100C789EDFC63DCC7500813B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:35.949{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D562D6B7ED4315BAFDA03654A2D78E1,SHA256=07DF7C919D85AECE694AF9A8A3DB2697C4D22F9645F92585F0300F8C65C05828,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:31.708{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-36207-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:35.590{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F13196282F2CCD141B76BAAF153C0DB,SHA256=723BF2F363BEFF69551C9C02E42D4ACD6BDCC07ED6884F3E0387E2C6DEB09C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:36.925{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50D65CA15F81FDB4A09CEBA8AC157E0,SHA256=A15305F98FC220DD4AE9FC19758012A00A3BAEC756C2C857E5E6C338971A0AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:36.965{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B1797739BCF1225977AC7558B786830,SHA256=1F8431B699F8C3A4D3043410062A86D07E8AD4DCA8AB5A8FA5647F187C4DDB40,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:36.237{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51420-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001290594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:32.895{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-40714-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:36.668{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD2EBACC85E6FE119368D14EF35D3EDC,SHA256=AA4C77D14A70FE2A271C0E0EF2F67CEC3888B14C7A4B827ABD70493F6D426CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:37.968{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC66186F3FBB2E838A8690CF559A5F5C,SHA256=0F05B098FB37D1B8AF69919F4BAD2779DA2ADFDCA6FA3D16C1B6F2748C5D84D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:37.940{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8428CBDE74E748A406B24463BAC9750,SHA256=F4EAD100591B4B36D4364D31C7AEE27D06368C28860372FA5F96B205BB7E714C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:33.960{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-45107-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:37.731{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F3CEFCE077084A9D0210DDAE4708C9C,SHA256=ECA9F4FDBA365F50A38E43D3E654A35559558A1FE40D3CFA83AEFEE585AB35A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:38.968{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFD5156534EA559173DB432BE60BE08,SHA256=DDA3A30A3C1C7F03C99EE1105EA7254B2857DF374CE7181D06547706A6942A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:38.955{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1625638E52A9D5FA729F27FDF5B288B2,SHA256=C92453F2770DD2E33E8E066B6304BE6E6414AAAE5934A8A99913912B1D930343,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:35.037{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-49515-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:38.796{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=642241C5FA071C500EBA43E8FC108F65,SHA256=FBFB3B65970E100F92DC0A2F91104595A4645D4D03ECC6D2882CBCC951CAF421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:39.983{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D08F82BD25764CD484FF28ABFAA0D5D,SHA256=89A7DC8A26EDBBC23AC7C93CA8DC313B12B1C258E2F68A25548328330CBB6C71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:39.921{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A97C7927C5320CAEF609F95142B2E652,SHA256=C045F50D52D92CB01C30390F0DBC700AE59026162268BCDC94417C18C8A90D1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:36.098{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-53638-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:40.984{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F8D61D6B1AA51FF13A288BD3E3DC56,SHA256=8CA79031D1277BC7B770F418E0673B287E0A73C72DA62C26617CDCF57416A034,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:37.170{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-57711-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:36.507{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61666-false10.0.1.12-8000- 23542300x80000000000000001384086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:40.006{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A160F28CD62EEB1E2F4071CFF539A5BE,SHA256=217776A2F6C22C468615E8E581DF8E1B247BFE2CA0E703A7687815A93E7D3FA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:38.300{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-3231-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:41.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A68BE222C521261049BAFB1209510A1,SHA256=D098EB2A103077793CB9B457478A0557ADB6B848C7040711C60B5C809D350D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:41.021{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A01CFC484F1A815F77166CD7BC5BB92,SHA256=36513B2B8E18DEC3142C01D1AF56B32BFE541F3D342D46B7082380930683DFF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:41.998{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51421-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:42.052{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364EDF8214E15C73454E10936C04C714,SHA256=24D269F30A2E2AACAF9AC3B73B62D3A0DF6ED8924F5EA1C633AD417C4EBE4C93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:39.398{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-7641-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:42.093{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCF299E659D0612F2F1DF31780B01306,SHA256=FC642A931EEC6BBCEEBF380AD7E8D65E3922955B6A0E9F983570AD0CD29B6ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:41.999{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5439A81A8D6FEDE5346499066E5983C9,SHA256=8B41497A2C76DAB5F2CD614672820207A1B963DF9DABBE351394FE545490C367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:43.082{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7E346DB43C39530CFAA82557C6CB919,SHA256=CBBEF30A4C9756BB5ABB20FAC90C96D30AF99DF4240448DFDA71867C3A4616F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:43.082{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6FF685342D342516AE6F6E4B189EEAA,SHA256=554800E68186141777D79F41C79CACCC9376E98D5C262033C7573DD4C830B98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:43.067{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFD0C7EB80E9588FEF81A251AF7B282,SHA256=68648BEA3AB0E25F8582E8369250F1109C9280E11C35A315F4FE2932A16DC1E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:43.140{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65D7CDA5723FF3C6F4D730828A0DE89F,SHA256=3EB5CC6CFF72F82695BA23C70B0448B676A4AE0B69446715C6B138D27BE2068E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:42.999{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF65675593B6B970280C6B9785E898A,SHA256=DDCF67132C4F9035B72E2BF2C5F2BE6B6F3A4CB364E1F7C00E158AAF0DDC1E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:44.312{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2D3A5D024BF1F56E6F55A6AD86473F11,SHA256=647DC79236E9130503455FAD0935345462EE3D67456689BD22BBBB18CAAB2C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:44.265{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E0CD706240DD532F954F54553EED5C7,SHA256=7E51E33732EB11BDAAEBDD9A5F830B045937E19420622DAA762469D7E018A212,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:40.461{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-11911-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:44.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0304D55BEC21F626DEDC98A39473C52,SHA256=D7FCDBB1FD321A33294A06930106DEB7E6977CE2C906CDFC00A493FC11C96F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:44.102{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEE7F2867840B254E3C53FCDF219973,SHA256=B88F3E81DFC2AF7A0974757C88C2C94B76AD6B2822FB2C5DEBF2968D684F3037,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:43.047{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51422-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001384093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:43.047{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51422-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001384096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:45.118{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29AC7FB410BEC04974853DC8AF96F39D,SHA256=0C12F50278EF32A23AB5D8FCA9BE34AE92B466B6ACFB47EAB55EDAC8416A8422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:45.343{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A58A90A355C46469BF5146DB3C2D990,SHA256=50E13F1113835FAA47F7905A372300641F29C0306947323B2513CF51C5FE42CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:45.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D053A0360ACE1924A035242777FC5FB6,SHA256=76A2E02C8C2156D7329FC5E8CA898A895EAFC37CA3BC0A4A3ABBF922155D639B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:46.164{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD866A2CD993E72A4CD81F298722C1C,SHA256=65964DD7D0B42634ABA2ACB13A7FC29B8ADBF97D091F4C160027F149753CD9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:46.421{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A1EF6BC22111178C916423C1DC9BC27,SHA256=70576966497B2D5237F726CA1F55E2B4A144EF299575EB170A3284AFEDC6BD78,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:42.633{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-20197-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:42.522{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61667-false10.0.1.12-8000- 354300x80000000000000001290622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:41.538{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-15929-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:46.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14700275942281898311AFBF3CA721CD,SHA256=D6B7D6E0B892AD9D10F7B22613C7C7AB6CF552D5FF43F8FB8F3254B8F3F8C08F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:47.647{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:47.179{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EDF22F5269B2C64875090BAA0C56F19,SHA256=AAEED1CDCC6B2CEA8124D3507DC674735C75AA8A2AAB1325B63F0724E4F0C8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:47.499{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84F43CA388EFE95DEAB1D76BD6B0581B,SHA256=9D8B8A3BB5EE430C536B24778E06639570945525B99402A7526DDA77A9F86AC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:43.711{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-24336-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:47.140{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:47.046{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCAA24E92DDEBB3BB3A26186149CD21,SHA256=5F6C70978275FD91EF3C7998F31A54A7E218F2C9E323C659CD4FF1DCE66FB912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:48.197{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C26AF832ECA69F3488E399A94643B4,SHA256=FE866A5CCC72762184B51B6A26056EC2CD6CCC57997927EF3B4F0FD929178DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:48.608{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EA6773212950DCCCB801062C1B9E024,SHA256=89C66F0B264FF9C0D49CD885FE1025CE6F154E688835B79934FE1087206D619A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:44.788{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-28650-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:48.061{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4718B12E55389C4D8BC09E8D0340E9F,SHA256=D44A835C7FA6031ACDBF6DB75DF99CB1D05CAAB3218D8EAC51F96441BD80E467,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:47.043{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51423-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:49.215{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF60BAB74DBB9B8E5C9A2D6D44EDFCAD,SHA256=1161E4480ACBBCE716593346033ABFA057B980757B186ACC9669CFB26770E879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:49.718{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC807194CC41A77717C7D55107969D20,SHA256=F7B14966DBAA3E61FC776B38BEDDA3D59C5EB3262CA2ABDF07C22D69BEC67603,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:45.475{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61668-false10.0.1.12-8089- 23542300x80000000000000001290633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:49.062{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED370CF937E22B87519E99776C5AC820,SHA256=D4373EDF0670091FF0C92F2628CF3E65C43554FA0B2FE23557E4F8AE11D6C51D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:48.626{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51424-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001384104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:50.230{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE284E710B1901EC9C93182467942D2,SHA256=BB97A9870546A1A539DD5AFE50E6547442A6EFF267A0B4F6DD33359C7ED37911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:50.796{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B37B8760DA49F6F883ABE0D4DCAF99C6,SHA256=CB620D11087EE6BF3AF18C4EA989F3BEA367B68D9576CFD020F4D195A562E4E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:46.990{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-37095-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:45.879{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-32873-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:50.077{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C9D4D8DDCEF6908BD44FB2BCDBF3F7B,SHA256=42D64C5E0C3D598101ABC3FC2B5F8BC1C26CC798DCE01DC28D4F9201808E25B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:51.245{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85754914E63DEF1E649401ACE202E4BC,SHA256=6AAA0AB58BA274E3CB2E03A847E9BA9811DD5F78C8B432507E08F1A3FF53DCCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:51.921{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=529CB7CCB043F7F5F3DEA060E1709A82,SHA256=98A66083A64AE19297C881A4D58D16B05C7F72D4013BB1B575E07930C8F64AD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:48.095{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-41478-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:51.093{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C682AED52918477E9540A606D07835,SHA256=BAD52FF807189E449D29B1FA5471F9F564995049BEC2F45AE07D33C5866C37C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:52.259{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FA2AF84A9D853B8A708B64E6190CA1,SHA256=AD84B0C861657C379FFBC6F4B1D38291D960ACAC2CC6C3B5733C52BC30E0A129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:52.968{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD3181AD3AA6DB5D4F48C7FBE3129DBD,SHA256=9760D04D7231C03DFF8745CDCDC9A52584E4E282581B52A532E901501FB93150,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:49.191{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-45622-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:48.553{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61669-false10.0.1.12-8000- 23542300x80000000000000001290643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:52.093{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFA703A92377C657BF179D4E97D85169,SHA256=1EC27FD32C4FDE9FD7D4FF9D38E34055F67DAE30E676B8D7D98111CFD3F343C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:53.701{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C259D22060556FC187B18EEFDBCBE863,SHA256=5F0299355D5E89C215CB3FF1F882A56C1F5D559C954EDA2949F11C16E7466EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:53.701{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7E346DB43C39530CFAA82557C6CB919,SHA256=CBBEF30A4C9756BB5ABB20FAC90C96D30AF99DF4240448DFDA71867C3A4616F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:53.007{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.77-57529-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:52.124{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51425-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:53.280{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131815708A6E2F94BACE388EFBF400C0,SHA256=201874DCD3CFBD4D5C84F6BE13A53CEC3DF591A5A9E82ED6EDCCA250519BE642,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:50.288{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-49953-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:53.093{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12BC7A76C99C5C926AB0D0100B1DC458,SHA256=F4E13DDC404F2876996AD19654B67EC4E40AA6A041C7185DDE0A22BCFD36037C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:54.298{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D5699226C6CA2D285EE64DBB12E825,SHA256=D14D260475C4CF7D4D1A52D290D97847E4CEAD67A84B9335FCC2A93BD872DF99,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:51.365{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-54047-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:54.124{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A33859B82B276B33E0760FDF30F2D8,SHA256=EA790B32C731332265B8185EB34F1CE5B575C51462609455648B9DF7F4728439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:54.093{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AFC9BAE13EAC41C875A90FDBFD42A30,SHA256=1E6B536D4EAC0A5022990057579490AE68DCCF186BDB6352ABF747A1347308CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:55.316{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3477B39E6DA2940E419A1B322A1CCB00,SHA256=2AA59D49F86B205374F1876BA7CAA170F5838D648979B4A5F4779CE7D46A1E9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:52.550{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-58478-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:55.311{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D06D52BB18E60CA92DBDC74B5317DEE,SHA256=046D4A6982F5A3A851880E10897472F0E5B106A9F9985E024F01455C0373F42E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:55.140{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654848A7B278AEC14C61E748E3CC3085,SHA256=CEE3B331EB1450CA21599179E674CD4C1B76A4E73F3BE584E803E6146D9415AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:53.696{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-4106-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:56.436{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C93FC0B865BF0D4155C3747F58255357,SHA256=86AB1D3CF06332468668670170860A0198C7B44C56087FA1B30B8226855EB620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:56.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC6F2665ABBE81B7F167B57D0A295EC,SHA256=F7A499EAB3350D6088339B7EA450F2F75D89B3B13D0BD433A99AB3B8DD627212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:56.330{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922D81DD5D0FC3AEB54D6D8FE71AEA32,SHA256=46679105312DE2B2561EE0F32A0909D12ECA5EF681463871902F8C7E1D1163DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:57.376{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2EEF959C8BB8E85C59B5727C2F8FC4F,SHA256=64EBE80BF9687E8C5B775E35D5E915C386FB6576DED421B24F33AFBBB7BED5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:57.499{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A696079383A71290846608564C2F848,SHA256=C754B7C07BE164E6507FFEC8931CA3785F1AC280E17140EA5EC900BE8F7B0496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:57.233{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F900E05CA09DDBFD491AFBB3CF269CB3,SHA256=39BF312F87A7C3D4269A80FB552EB9139C19F6C3DA07B329587602E7CD63B76A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:58.071{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51426-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:58.393{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6379996F9CE79C4156589282CE6FC1C0,SHA256=BFE7BD331CAFEE58760EEED06D0E20B46526D6844C97D4C7A7CB934E58DA8278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:58.594{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1ED298A43422F2B8A37B094D6E93FB4F,SHA256=CD50B6A9FA8EF9823DFDAAF5367626D8381A283DC05428DB68D8254DF0A99764,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:54.805{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-8485-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:54.569{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61670-false10.0.1.12-8000- 23542300x80000000000000001290660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:58.235{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C71FFE9BFA9C0903C21A751D034206E,SHA256=5541F5597A55D2993978B8A33E1B15B3F9BC274BB7ECCC33B0BAFD7DDC4DCAAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:16:59.397{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED7BC98D60E4DEF5A5497D715865040,SHA256=0E454411E4AA05A820E5941CD4139527BBACF82233E8A6424998F967755B4831,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:55.891{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-12602-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:59.657{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62E42D9290C73EE93FAD3C359A8015FF,SHA256=B204BD5536AE0576C96A4F587AF6B7B4D6501C0A6D163E40A5BD7FD4AEFA0720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:59.235{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8428035DF5895ECD80461132A0E15FEC,SHA256=1CC1983CE6201E83099A955CD9929AA9E791CB85244A1948CD76806DB5335499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:00.413{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597C727B717A45195A1EBBEDF568EEE6,SHA256=151F4B8E232D5C0E9D5EFEA3F0A00A5788BD03B17C2C106F9BD74A33413AC414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:00.875{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41605173FCBFEDA7A21115870D60A1D8,SHA256=02F63845F4F100D79DAE4A832D39FFC24CBCAD9048302D0AEE25C2575F69F980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:00.235{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B7F77F2F1BED95D239EF30E4971564,SHA256=430D7D3F52FBF8433829B580BE832C62C5582EF9F73F48075E213EC7DCFDB827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:01.443{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD200ED12F141D62725A947EFE0E626,SHA256=75BEE389E29805D0D1A8CF0FD3F188F7112004CDCA29F6D4ED92B086CE9A36CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:01.969{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E255118F6005C2CE8CF3BDD131949927,SHA256=1BF8C66B072E9FB5EB080D0C25A599E0A661F7D97BA9254B7BF4CD27E5715F52,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:58.039{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-20936-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:56.963{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-16827-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:01.438{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E3D9AA90FD55F4DB1AB117E43403FD,SHA256=4B7B64D0CA3325A10CE43A3A19B631F9F6726BF212AC59BF804D7CA54F5054B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:02.474{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49287284C76B5CB9B10BF4C8EA59744B,SHA256=8A7EF91506BBBE6E728A58B42E52BA8169B5D5EB00500F863F3EA0E3700C4CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:02.630{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5717MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001290683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:17:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001290682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:17:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x14f9510b) 13241300x80000000000000001290681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:17:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b441-0x36c7ff92) 13241300x80000000000000001290680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:17:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b449-0x988c6792) 13241300x80000000000000001290679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:17:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b451-0xfa50cf92) 13241300x80000000000000001290678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:17:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001290677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:17:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x14f9510b) 13241300x80000000000000001290676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:17:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b441-0x36c7ff92) 13241300x80000000000000001290675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:17:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b449-0x988c6792) 13241300x80000000000000001290674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:17:02.471{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b451-0xfa50cf92) 23542300x80000000000000001290673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:02.456{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5C618D64ED4B557D32C97BA1C7747F,SHA256=F5024B92ED168DEAC2B5E6361506D5B20DB559D4AD65E03CE881789523A108BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:03.872{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18487EF4DB7F613B90B07BC28B5285F3,SHA256=CD5F7389FC08E1AC63622F46A4F4FA7506D10128F2D9078787C6DDA09F6B7A5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:03.872{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C259D22060556FC187B18EEFDBCBE863,SHA256=5F0299355D5E89C215CB3FF1F882A56C1F5D559C954EDA2949F11C16E7466EFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:03.203{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.89.190.250-51280-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:03.168{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51427-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:03.572{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985AD9346ECA6119E9CEAE699F834B91,SHA256=64E29DE4B4365392B732AD98764FF0BFDD4EBCFE8AFB0CFE938E586DE5971E8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:00.340{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-29890-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:16:59.244{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25623-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:03.643{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5718MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:03.470{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6D1EA70E3B8CCA985CFAD80B4E07F9,SHA256=11D9559E9B3937924B4CEB272EC89F3792C24C18C314902F7DF29B1E46348B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:03.064{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D42428B74E95166DF7788B5242428160,SHA256=7F73A7C70C75CE8B260ADC8246FA7A0893A06F974053591D2BC66E0A77E8106A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:01.431{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-34162-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:00.588{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61671-false10.0.1.12-8000- 23542300x80000000000000001290691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:04.485{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56671C14392778215DE308CB27CFA418,SHA256=D7AF3DCA21583FF0ED18F6A86323437CBEC9A09342F6618DF6BD28EB0EF686B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:04.593{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F09F8404A71A5CF0E0E787EC3EA58C8C,SHA256=71281503A3DACDA47F55DED7EA486908AE0F6FBF48BCA95373E039D5B5534A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:04.139{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E7736E98C7F7392BD1EF768DF25C2A4,SHA256=303254050E36C56A32FD841943B042FC682972813790B8B3C81874D9D7D3F332,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:02.518{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-38402-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:05.704{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34797D2766A528251EBF4EA87A678C5F,SHA256=5BCA307383851200743C683CFD848D23291A5285711354E687A7F53A69130B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:05.674{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1400MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:05.609{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D2C608D52DF19A40511B35E4993AA7,SHA256=CD81279F04FDB98466F322339C4E356A1CF1E67D0F57367B080466C34A5E38A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:05.251{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B59A336288F6F5EC28F74B40A56565DE,SHA256=4EC88EFAD25C04A2502F2AAE4D46FB00B7AD10A0E5EC086AF3037CA98810A957,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:03.632{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-42679-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:06.735{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61CF296BEE3A7A27811AAFCAE4A4B1A,SHA256=9ED5A651FA24AA4CCF21BCB6499C9BBDC4B20808D13FE4626B401EA7D0E4016D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:06.688{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1401MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:06.639{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41D7689E26D215BAE2AFCA68E8C11049,SHA256=5874CB697EEBDF0544DA6650BF5FABEA89E0308A45F4E75C4F1EB7B13FE6C496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:06.345{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82C4196655EBB99490855048DD374694,SHA256=2A31D05C738EE3C0E2F3DCEB27E9504A25A796366ED802DAB3A2A1673BCC6A12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:04.740{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-46735-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:07.736{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D61395B951764B752965E4DF0F58A6B,SHA256=6E7F33FB9BAA2A38846E00885BCD0AA0AA52A28216C3C48681FCAC507A2D0B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:07.654{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9219A89AC0CD8BD8829FE76E239D9DA7,SHA256=2D74E0A8CAA828E7ABAB7E3DD795AF508242544D4AAEB005C3917899282037A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:07.438{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91DDFD70AB7B8D24C1709105B4EAE66B,SHA256=7A133E7F854225BE25E738BD53651A509752F4AC9F2B8BE0CBC488C43632C5E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:08.954{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439CADDAD9CB5F664B5902505AE88059,SHA256=9A65B74D1E6238CCDF1D9504DA9A6627AB3224FD10B01531F3434CC9CA4E2EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:08.668{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F34CC99AFF04F8795E70B4BEDC78F9,SHA256=87EC0E33EA156E87D49F3493CFCC39097047F755A2A0953742E71F84341932E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:08.501{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51FE0E51A93024956953221FAEC1D82B,SHA256=6C217DB2711CB70B520924DF89622C1BA2051C20F6CBF352E7718BE0E7A069F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:09.101{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51428-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:09.669{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E5D4D7FFB20C165050B33ABDC19A82,SHA256=EEE34D0FF0A34CB352169F5381A6C527C1C5AF6E98B3D02C2DD3B7B03EA7B3F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:09.611{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0731EBF05814ED6DBEB57E491FD781A2,SHA256=6973F530BD6EA6E08063ADB7F033BACA7A983EC869A17203552581F9DB62784D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.843{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F2CA8948851A4BDCDC4F497B18A1895F,SHA256=D257B24A091C3F8A45E94D571AFB69C60B6413EBCA73D63EEAB709B57DF455B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.712{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD96-6152-7028-00000000FD01}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.712{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.712{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.712{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.712{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.712{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DD96-6152-7028-00000000FD01}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.712{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD96-6152-7028-00000000FD01}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.713{5EBD8912-DD96-6152-7028-00000000FD01}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001384145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.674{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A1648815CBF1EF30F4A29B7F660514A,SHA256=3304BBFB3C85E89D6679B19A84EE93FBEA6CD273DF8E091E5C23060A174538CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:10.673{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C29134B2AAB524CEA434B77BD1A0034,SHA256=4E3AD2B0A83505B27ECDE600CB190E77DFD24180060FB6860EE76F5987C4115F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:06.882{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-55200-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:06.352{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61672-false10.0.1.12-8000- 354300x80000000000000001290707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:05.807{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-51093-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:10.048{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B2D098E733394DE23A980CC4C8E6C3,SHA256=EEF5DF3E69578D426566610173736FC4CF92232A68BD6120C492D11BFAC81A37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.296{5EBD8912-DD96-6152-6F28-00000000FD01}6344948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.105{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD96-6152-6F28-00000000FD01}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.105{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.105{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.105{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.105{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.105{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DD96-6152-6F28-00000000FD01}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.105{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD96-6152-6F28-00000000FD01}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:10.106{5EBD8912-DD96-6152-6F28-00000000FD01}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001384157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:11.695{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA34AFE4361553534AF14E59262B939,SHA256=C8C7F32F4C343778CD5D36D1A9CD2919066AF66293D90C6FF7F5C4B1540BF9E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:11.392{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD97-6152-64A1-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:11.392{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:11.392{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:11.392{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:11.392{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:11.392{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:11.392{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:11.392{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:11.392{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:11.392{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:11.392{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DD97-6152-64A1-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:11.392{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD97-6152-64A1-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:11.377{69CF5F33-DD97-6152-64A1-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001290711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:11.048{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A1B43C721008D0938BE97D2265AE72D,SHA256=C639A2C0EF6EDCA5234B38CB1544CDB91EA77ADD012D6CB243E33274C918E55B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:11.127{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=684E6FD5078A051197D21DE7CC010895,SHA256=131F053FBA6A7D359B093169A791B9890FD11DD766EE0A869EB2C44966894640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:11.127{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18487EF4DB7F613B90B07BC28B5285F3,SHA256=CD5F7389FC08E1AC63622F46A4F4FA7506D10128F2D9078787C6DDA09F6B7A5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:12.929{5EBD8912-DD98-6152-7128-00000000FD01}63086256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:12.743{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD98-6152-7128-00000000FD01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:12.743{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:12.743{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:12.743{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:12.743{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:12.743{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DD98-6152-7128-00000000FD01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:12.743{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD98-6152-7128-00000000FD01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:12.744{5EBD8912-DD98-6152-7128-00000000FD01}6308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001384158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:12.728{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21AE41F9EC8E1C408E11318CE65353A8,SHA256=BCA72CD71628A5A765D531CE32A5544BEC0567F222D6756CDFA97B732E914BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:12.454{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05B5D6B6BCE10B34E245721DEB79861B,SHA256=252A5CEBC9C649A84B5EA47386BEE011EF6F6DD3DCEC787121EE974E311B7DE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:12.298{69CF5F33-DD98-6152-65A1-00000000FD01}9203380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001290740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:07.981{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-59490-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001290739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:12.079{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD98-6152-65A1-00000000FD01}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:12.079{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:12.079{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:12.079{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:12.079{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:12.079{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:12.079{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:12.079{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:12.079{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:12.079{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:12.079{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DD98-6152-65A1-00000000FD01}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:12.079{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD98-6152-65A1-00000000FD01}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:12.064{69CF5F33-DD98-6152-65A1-00000000FD01}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001290726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:12.079{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6993980EF5582DE36910E0ACD30A6EA1,SHA256=10EE6144884B19A60F48D70C309B398980E53D5631B36057B4508A0864162111,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:12.063{69CF5F33-DD97-6152-64A1-00000000FD01}3128104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001384177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:13.789{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=684E6FD5078A051197D21DE7CC010895,SHA256=131F053FBA6A7D359B093169A791B9890FD11DD766EE0A869EB2C44966894640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:13.736{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52958C20B57DE4E0A554D73BF8027F1B,SHA256=B5D27DCD053D025DA8BB6E4C966B1FFA2E061962A3F8FB9AFDF9662988B398C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.829{69CF5F33-DD99-6152-67A1-00000000FD01}7922408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.642{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD99-6152-67A1-00000000FD01}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.642{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.642{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.642{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.642{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.642{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.642{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.642{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.642{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.642{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.642{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DD99-6152-67A1-00000000FD01}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.642{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD99-6152-67A1-00000000FD01}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.613{69CF5F33-DD99-6152-67A1-00000000FD01}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001290756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.610{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B23B8C65575DD42ED94E41292F0EEB,SHA256=789B60998C5EFF75A774E2BF0783457FD089AA345DB248FE1D55E4A11FDD264D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:13.313{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD99-6152-7228-00000000FD01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:13.313{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:13.313{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:13.313{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:13.313{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:13.313{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DD99-6152-7228-00000000FD01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:13.313{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD99-6152-7228-00000000FD01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:13.314{5EBD8912-DD99-6152-7228-00000000FD01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001290755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.048{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD99-6152-66A1-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.048{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.048{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.048{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.048{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.048{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.048{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.048{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.048{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.048{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.048{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DD99-6152-66A1-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.048{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD99-6152-66A1-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:13.033{69CF5F33-DD99-6152-66A1-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001290798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.860{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B95C0EE6A343133FC48A9FCED8DA03,SHA256=7D542040EEFFE0E4B74FE0B48542F6A6B0D5922DCB119AF16D4F17F0A0F863AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.860{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD9A-6152-69A1-00000000FD01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.845{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.845{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.845{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.845{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.845{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.845{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.845{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.845{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.845{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.845{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DD9A-6152-69A1-00000000FD01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.845{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD9A-6152-69A1-00000000FD01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.830{69CF5F33-DD9A-6152-69A1-00000000FD01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001384179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:14.753{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C159A718706DA687E43BB6DDEDB1A332,SHA256=B51238CD8A894517CDB9C0A6BCDF3DD9D12F54BCDA84DDC530B613BDCA5922BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:14.139{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51429-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001290784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.157{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DD9A-6152-68A1-00000000FD01}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.157{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.157{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.157{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.157{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.157{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.157{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.157{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.157{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.157{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.157{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DD9A-6152-68A1-00000000FD01}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.157{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DD9A-6152-68A1-00000000FD01}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.142{69CF5F33-DD9A-6152-68A1-00000000FD01}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001290771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:14.063{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84A2DAC9B660B5EB9F736F5F8761E2DB,SHA256=DBEA76BEE6CF161C9199A7CA52B3DD12B094AFF83335D630763FEB7AC18FF061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:15.986{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA93EB214127965C79DA3F48A114E0C,SHA256=A9430E02B9A032DE41275DCC37C29886879978BBAD711B349677AE45D658D32F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:15.771{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45C87ACE83B5B273B63A9D116123A80,SHA256=6259C33CF3E51F06262FC1D776AAD5F08F0378D984756B9E5B422AFC762794D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:11.603{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61673-false10.0.1.12-8000- 23542300x80000000000000001290800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:15.157{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A6676EA9A4CDB45D10A70AF0DC963FA,SHA256=C81B823BF52EDF6F63B1AA2B8763144D9BB4D32378C1EE37E1002DBD85F3599D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:15.095{69CF5F33-DD9A-6152-69A1-00000000FD01}30361404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:16.855{5EBD8912-DD9C-6152-7328-00000000FD01}4508852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001384189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:16.787{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCD1236A7D367ECFFB4777138D553CB,SHA256=42A30AC7697FDCC905FF363D07080ADA25C552CEE35C0DB2AEA0C0BFF1E5E0B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:16.655{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD9C-6152-7328-00000000FD01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:16.655{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:16.655{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:16.655{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:16.655{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:16.655{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DD9C-6152-7328-00000000FD01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:16.655{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD9C-6152-7328-00000000FD01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:16.650{5EBD8912-DD9C-6152-7328-00000000FD01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001384203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:17.630{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-23087-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:17.544{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22716-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:17.787{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BFDFA927F348FFDFBE3B6543382903F,SHA256=D565C52C47E9814C33226B9617D1FAA3C4DC61293686E5A89E693E0F84891A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:17.063{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E5371901220486B2ECB0589A987DAF,SHA256=498BB71472D67908D1992CACD77C16BA3DC2E4C153D63294478726141C6ED407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:17.671{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B22D2127FF89AB44E5EA4776ED33D98,SHA256=E658C71A23D77FE9AC5A05D3C21309A3DDFCC96E13E3E26E7073BADA477F65AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:17.502{5EBD8912-DD9D-6152-7428-00000000FD01}56286612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:17.333{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DD9D-6152-7428-00000000FD01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:17.333{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:17.333{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:17.333{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:17.333{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DD9D-6152-7428-00000000FD01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:17.333{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:17.333{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DD9D-6152-7428-00000000FD01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:17.334{5EBD8912-DD9D-6152-7428-00000000FD01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001384205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:18.971{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15664734FAAACA44904798BA019F1943,SHA256=BD9669A3BEA4B0EDB72F7E9986B5CA66B9D72D7BCE34F8B8CC390567AC9144B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:18.787{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EA3C3020F153AA9141F087A230952C,SHA256=25998BE662D5E09DE02E040C5973B4AED944C60D49A7B12F5E74EFBF8A0C1DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:18.256{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F2C4CA66FE6287F1C960E3DDA28F1B,SHA256=44361FA8CAE5F2203814F04333440D7FBD8540F7D7F8D9320B4E62D0F1994B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:19.365{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA321D60C6CB81C0E12FDFA352E089A7,SHA256=DCF9205131D207350B51803C752AF3ABA8CC9A33A788A6B46B07AAA75C003C9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:18.856{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-29050-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:19.787{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5213EE87CF274CD7D834AEB0CD765053,SHA256=7EC8DD6C4BF250694D144F34F946B1D636A4FC32FD5A31840B1936769BCBCC04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:17.607{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61674-false10.0.1.12-8000- 23542300x80000000000000001290806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:20.568{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5B21D0CCD2572C88DCB192C07F7BBB,SHA256=E458CFE6389A0902AD5398709E72ED540BCDAF6FF3DBED6469B7AA1037FA1BE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:19.166{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51430-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:20.804{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B59E1E4C05EFDB3303597C79C7BFA0,SHA256=4257FD8FDF54A3BF2068A9169354662CAAA4E786C8073B7033A3D0F2FE71D3EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:20.308{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:20.308{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:20.308{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001384216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:20.036{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FFD13B12EFD94E2FD6E45A855FC1DB1,SHA256=3BE64FD66EC4731639911EF262800E419AC39C054107344B47CF6C6E07A772E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:20.003{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DDA0-6152-7528-00000000FD01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:20.003{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:20.003{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:20.003{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:20.003{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:20.003{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DDA0-6152-7528-00000000FD01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:20.003{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DDA0-6152-7528-00000000FD01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:20.003{5EBD8912-DDA0-6152-7528-00000000FD01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001384223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:21.825{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F8D664643F316E15F66AD2E4302D0C,SHA256=767BBF514818BD42CCE6BEEDC60128D3D4EF8A848E5FF7B4A55F8E6CD53DA021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:21.584{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40331C63BEA737D31B526B59744D3623,SHA256=E453FF892CDB6DC86121813C38CB2416826EC50D1438BA273249D276AA189CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:21.188{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AFEC1E467A7ABC5B2F893B32F00C55C,SHA256=CCB8147E3AE3667A53EF60512F9F806331BA3B35FA795D62DBC7E6C6F006AC57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:22.840{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF63B8E2E025454AF3AF99196BFBF64,SHA256=1CAB355E83C20E271DC0CC1F58A95AC83D30665E6D304474D4AE0593867DB277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:22.599{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B52818EB3933805BA7A95E7E86079E,SHA256=DCE63E866C2948E39B66A4AA03570223AC161496942B92333866065330FCD05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:22.340{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46AABC5C1FD3A590D4348430A2C6473A,SHA256=DA6006CE96474670BC9E3A4D2EA328DC39388973396230A45A597D43180B2A55,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:21.079{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-40354-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:19.986{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-34772-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001290821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:22.474{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DDA2-6152-6AA1-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:22.474{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:22.474{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:22.474{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:22.474{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:22.474{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:22.474{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:22.474{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:22.474{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:22.474{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:22.474{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DDA2-6152-6AA1-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:22.474{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DDA2-6152-6AA1-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:22.459{69CF5F33-DDA2-6152-6AA1-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001290825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:23.615{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276B1FC75994F6A0F9E1F5F6544DE204,SHA256=04E2E7D772A60D6BB11DD49A36FDD639F24704BA0E833BA41656BD5871715E18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:23.855{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978F36CB62607D70CB3F8D6610B8807F,SHA256=D8782C6AC0CDD6E6E37C5F6CA4AA8516D73F5D4518E32C282AD7499A4E16C801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:23.686{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0DA68F3B981C9467A638C80E876DA4F,SHA256=C1B1AC0BC4FF11D226DE7319B18C3E95C415D116B83A943008615139A82D301C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:22.248{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46112-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001290824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:23.568{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DC40BCFBE4DFCDF9F7964240FAAA780,SHA256=EC83E6ABDD5A2963ACE0176970F65B2C633B411FE471CB7A59A90B3B3EB8A1FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:23.568{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1ABD70ED9E5AC537654E10BCA10281D6,SHA256=A204570E2A634A68AD2A16E66C2B3616244F9E49854367D46247773152BB750B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:24.677{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C980EEC46488BB0C3DD345D9E22DE62B,SHA256=9A25F858CA6449C6A8798A296ACB4B8B1A381BFEF698C3F7D9A3AF09668D8810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:24.870{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C13C5EBB253AD3C72A8862F9C61FF4B,SHA256=A58AAA2516E9278D4694EB2E9BF884BE46B973F65C4B5E457D71A7BA561CF96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:24.770{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39C844A6ECBF02507E5982D4674C7DDF,SHA256=E99769BF29B2BEAA4522F7EAC02FCB5902D6DD52C2B0A09BBDB8917418899486,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:23.391{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-51803-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:25.873{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935CF427E85EB71AEA426772C09F5848,SHA256=B6D1959305E4A0FF2D862968B6AE6442DAFAC7194108007C78E1F54FC8F028C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:25.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4079D529D21C7A447ABC185A996876,SHA256=E590BF423BF12CEE44EE2D7395B473741F034A2624DACD0C164E0110FB082A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:26.905{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99F8C48BF63883EAA63464DFAE44B60F,SHA256=D0293A3B82BD34C70212540CD9181816258F88FDF54D09C9FE4E4BEA1FA98AE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:23.352{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-25047-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:26.896{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06647465BCD457988104117B7D4B587B,SHA256=0C4D2E1A359B700FF828F40CB6DECD6E404DE8F040C44AE9C7019F88B8BCC4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:26.159{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F22944D4B5F29BFE689642FD4D9C5332,SHA256=CBABD54409973EB9FDA3C086B89CED4A6C46BD245CFB79E2BF90C6463AE6EB00,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:25.149{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51431-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001384235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:24.703{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-57941-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001290828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:26.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DC40BCFBE4DFCDF9F7964240FAAA780,SHA256=EC83E6ABDD5A2963ACE0176970F65B2C633B411FE471CB7A59A90B3B3EB8A1FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:27.912{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8A03DD9DB723D902F85A9CF8D8030E,SHA256=4693666BE5E3AC1FFE7F72C3B7FAC7A28C1262E3C6E525566BAE8269255D942F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:27.942{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A32EF4AC7DCEB6C9EEF94227836C5C,SHA256=D4D6F2A01DED4D49C4EB7FA42FA983A732162516F1D0BD56DDB386A517F49114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:27.243{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DC34D0355F383E23EF2D00A4D5B606A,SHA256=CA4A43880B074033979D784CD1492B2286031E02A458B41ACEDEA6FBFE204078,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:26.284{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261676-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001384239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:26.094{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-5629-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001290831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:27.490{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D0CA00DD914299A42CF12BB47794769,SHA256=1046B888FD4B692951A4B847EEE753C58D75465953AE81022878E320A19BBD9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:28.927{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA45C6B29E96656DAA9B2F52420D819,SHA256=3F0800911F0BADCA17634BF3095658A2E920731A6C8909DC1B69B23CD6B01693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:28.956{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C45A60672059D0453090669C44BEB25,SHA256=C6D48B409B6DFA9C473374239BB5A62FFA72DEEFF1B2C6A3F500E41DC78CEBE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:28.818{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=111B2AB31C291D92A4394275C6718F56,SHA256=97D0E1D22643E90B9873A1CC0DDB05C34001C8C067D6D42906C06C77A8208423,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:23.600{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61676-false10.0.1.14-49672- 354300x80000000000000001290834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:23.575{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61675-false10.0.1.12-8000- 354300x80000000000000001290833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:23.431{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-25582-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001384244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:28.322{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8998337349442BF3EF1547793A6333F8,SHA256=E2EA1904A5BA792224A8E8F0F5BCAEDAD842E32C720B86FA0D446FD3731AB1D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:27.174{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-11026-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001290839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:29.943{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956C615EDA5CFEC5E086D84C75384A1E,SHA256=C6A53330317642B558B746082BFC6AC487F728661EC966C17F8F71E6933B13E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:29.971{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752FCDEB8E55DD81EE7CDB30FDAE550C,SHA256=90143139AC9BB5AD3EF34FEFD117D8AD8E334C7698019C1D5951D858896A6921,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:24.684{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-32152-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001384247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:29.571{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DA6796DCB40FCA2141CDA0A18CF5F5D,SHA256=9335A6EDA753C53FDE0611D16DA06D30AED4D8E13D4578728ABA1737968E8CB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:28.258{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-16653-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001290842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:30.959{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A66668AB96063564E9215E50C535A8B,SHA256=7AE5FFB84130D63D73E90FC5E86AD46D7C93191D20408526541F34147616B386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:30.240{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A81A8928A6CCC0799DAF4C9F7284C0D,SHA256=AFA479CD84607F08CA31DFE918677C179A22A86FE8CF9A5B88E06286A7D36455,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:25.933{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-38572-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001384250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:30.802{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EEE74F915C40CE255F7C41A5033D92E,SHA256=A8D9F4596A69AB0116FDEE79BD5ABD3049A8B17DAB6C254C71C7CC5B02920031,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:29.336{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21993-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001290845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:31.974{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6860D5F91BEDF9D7F32B5E72D20B4C,SHA256=AC2078C5ADCA7907B6BCC29927812B273688D45EBB963BC14E3C323B871390AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:31.970{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36C21AC6B46A88C160E38AFCFD157CAE,SHA256=3D4011C91CA33108C66103A774C007B568134A6DF4CD3C7CDC2A2E4A7AB9218D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:30.198{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51432-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:31.002{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A67D65353158DDB63228602D6814DF,SHA256=E96A1DC67F9B5F249564C22CE5990E0F1274556E5540C4675734A12D35B7160C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:31.490{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=310F98F070FB5D09F8C7B29DEE9200CD,SHA256=D828BCB65C63B2BEC4C2D294E4508D82E7C183C7AFF0322DAAC3E4F452B72B45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:27.423{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-45635-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:32.990{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2019E30E61C0266BF892CC8E2FA40E8,SHA256=92B35205504C14F3CABC381FFD9A2E5B6E6749614DCA140C0ACCF8B4D47C3255,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:31.869{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33983-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:30.695{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-28304-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:32.038{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3715E3930A9382209F3ACBCB5F26FBDD,SHA256=B8B61EDF15F9F7853B90EC7F0471D276CE8896E5494AC8CE04D700F4D8037A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:32.740{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0778010A36B31411937560327383846B,SHA256=CAB32B6244D9AE653B63A280282D9381AA85FBF9C18CE5E1D6EE9721A4221DE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:29.916{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-59391-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:29.591{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61677-false10.0.1.12-8000- 354300x80000000000000001290848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:28.668{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-52599-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001384259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:33.001{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-39819-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:33.103{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB06270B30F3C1F5A0AD70F7C8024A7D,SHA256=3540397F0E5E07086C4C87860E31BCD487BF5D69C7E40D947E2521766227F527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:33.072{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F481B6A96C44E7C659F332D59B99EBE0,SHA256=EC0CA696E5C1FCCC8A3B69499E26EC4AD6BD448B4C5A7D22D91ADFDF4BCA9623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:34.339{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE915B292A6C033EF0BC1F7C1BF0F7FE,SHA256=B6DE1779A18978565A6CADC89C9F0DF759AB9858B47EA3E3B125287CE54FE04A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:34.086{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1923F5A3E92AD47BB958D4993C6B1CA,SHA256=37C1E6482819AA1BC19FF6C6DAECCCD1715B0AC233DC338A56C8516B39D1E20E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:31.170{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-6850-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:34.224{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824F83B22980D56943ED536FAA2DA237,SHA256=78574F1D8A16C98C915E60E0533B218CDE0F355F00D038AF3AF1405B2A4A2072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:34.021{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74382C8718363502D52F3B48690BCDD4,SHA256=B9C45B509CC102534E857D31986F51F9C27B579ECB17BCDD1D15D8F52186B5BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:35.349{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239076063560BB2D9C8137CA1E8CE1FD,SHA256=E2E1F420DD4241A53D513A8A5E850E77EDA62017F1145D76C1D1A8F2D653CAB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:35.700{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67E714389D744B603CCDECFAEA112322,SHA256=5F4D074C96EC4AAA9726D196130B34E54F3F5253B73C478A7272AE573138C0BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:34.233{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-45655-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:35.121{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B06DDF748AC79988A607E9332D74FF,SHA256=1195E969D98F49EE781C439943ED0CDE146DC6F19D93189D82FB4A7CCF50BD3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:32.448{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-13453-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:35.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=992039684CEF02AD7F1A9ABC43FCAB1F,SHA256=6DE5F6E5AC89D75A193000054ECDE2A71E932309199858B9FF7E5A89AFEB7286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:36.505{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A28E3F42AB4FEB54BAA11F7DEE3BBCD4,SHA256=F15A2E6C3E9B4F74F01D8C735C0052BCEF446FDA0627FD3F639116F043B05274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:36.349{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE77A51B532B7CEE6C69E3E4D6678B0,SHA256=CEE31E90EDA8D2B7E20F39C6C8D4DA5800A86AC3395E0F455343EFE3B3610930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:36.836{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AC2C4415F2079043E9F1BE2E0A7E883,SHA256=C026ACE6064F214769D08CD486005C54F40780DDE5B43CD6A3FBF5E025871739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:36.137{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C297643D6714621A9F2D58699FB5F924,SHA256=902D45590CD927947C09527D77E0EEDF2786400D4D6AE7CA218AE1647F5E1B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:37.820{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CC3C34CD27272B2586F86089F98C587,SHA256=29DDC6A039F123E83F6C42D0184A53BDAC0C22FF4371BF2222BEF72455CA0CA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:33.684{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-20272-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:37.365{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF98F742DA56AF9C4C1E16B0DE11B241,SHA256=53C2CB724DF8FF95B2714ED29D5D55D9D829AB2109DC7066692030FC50094CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:37.911{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19AB2905CF2A6D8C11845E0B98A1A34F,SHA256=471596E14854D95A4CA60D38B862B448678BC735012500D8D3F477DE9ACCC515,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:36.133{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51433-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001384268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:35.512{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-52044-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:37.139{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21491E71D26DA0B3AAD7623C2617F390,SHA256=0E1C5FC87EDB0CED8766CB4B04D3677EE919194529D079B7748EDDFBAEB7A846,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:35.591{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61678-false10.0.1.12-8000- 354300x80000000000000001290863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:35.000{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-26893-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:38.430{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69405A67E10513265E48C38BC6DF1878,SHA256=5388644CE43DEF812B6569D126E43766A77358E58C7640DB3F16BE68655BD699,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:37.853{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-4900-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:36.731{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-57974-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:38.139{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=780EB3FACA2576BEED724B0F742A35F2,SHA256=A94A48A9AA9A449B19AB6777C17008862C58A152251F4735A1168688C786F75B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:36.246{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-33853-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:39.445{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7399E08F61AF2A24100A80411C6F7660,SHA256=C4BD0741006513DCE47ED0006154C881B05C5272631C3A4DAF155047416EB303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:39.170{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F865151C4D54D1B98CB97F04EA5F22,SHA256=503428CFC41DEE4C01FD136870889A49046AFD75147F1D32755FA514C0E258D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:39.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2B59F945B0798459711E9694CF97CB0,SHA256=67E60F9852A906605FBC9085D151E364C6C2DC552BE0A2C78CB0D76045168303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:39.139{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=418CFE03E6375B46D38ACEEE783D1639,SHA256=5CEEE40965F28A1498D811EEF713F9BEF132D4CF0E6CC994D9739DC06382BF76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:40.445{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9548FF07DBAF063A5E08876E86099F1C,SHA256=9D9A912E8A4EDD2DE4B0FB4486A9E4978B165187F1B6D6975531188F974F6A6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:38.941{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10370-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:40.238{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=906BFACF6FD56A8CA7002913709646BA,SHA256=2CC6D67F1058BACC60CFED174DD7E4BC9B8760C1D382591A1501E2F3FB890EE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:40.200{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E055088D072A0EAD0843928801171F,SHA256=DA5A0441DF977339EAF79352E7003327630671835E8CB8155ADEA9905790CC36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:40.320{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2AA22151BCC49FF3D1FD67B663134C5,SHA256=DBEAB9E79065B45E7608C8436740ED80AD247FC15216A7BE22F589CA56A0DA05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:37.499{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-40837-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:41.758{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2610C7DB84E2C3A91E0210D896A8DC39,SHA256=99364B940C5AB25E51D8015CD107DE07EF3991498A7902F6DB929FFCB30F097B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:41.461{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4892207488C7C067E2C9880C13FB2425,SHA256=021290A4E96EA71370C2C6E9C449E259562AAF030DB43A3E158FFBD0FB3932BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:40.170{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-16319-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:41.322{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7D9D5F6A9B0308777F258863873C8A2,SHA256=86B33B4B90AA8E90F9B94C7635A2F5E9A9A75897044FB56D854DA21485506C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:41.238{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22783492264D9164B5756EE9D16A2DF0,SHA256=76CF5021F992FE3CDC126430C4A92D5E752FC38E86E6FA2D016D99F2160094B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:38.927{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-48067-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:42.477{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE27D51855FAA1C4ED8A2FB67F55508,SHA256=C7FD32730DE44C88206FEEDFF42C654772F4F922E4612C3C3D9840B5062CE261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:42.437{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=524B26F4FB3CE35AA42F507ED36B8CCF,SHA256=2CD4611ABA8B4738CF059695865F0BDAAD769254817926DBCEFAE770287C08C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:41.254{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22101-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:42.268{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24EDB8CA6080822A0D064EA722EA6E38,SHA256=99CCEE09E305ED197889C7053632A8D7A0676B31BB728417B518E9C4A56929A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:43.583{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AB91F5A5A743EE4040B17767B54B404,SHA256=C990A752456E7B3593509A3723F468B809BB40C33582E2CE36BA2A4BB265E9CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:43.049{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51435-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001384288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:43.049{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51435-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001384287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:42.350{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27127-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:42.095{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51434-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:43.299{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7948984D9219EFF71A5982BDBC45F10,SHA256=1883AD60BA131ADA325ABE83EAE03E3F2E092364C76F2A5362261465822E6D67,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:40.257{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-54726-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:43.492{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0969ED68F079DCBC9D1E2CFEF01FE915,SHA256=C69654C74C606C2F70295F9158434C014BA2463D19602AEBF0B215AF2CA9E81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:43.086{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=474AF4131477C0EE647D43121F8CB1B8,SHA256=A81364C6DF0182A03AC698B8C8C9DC86D95AD16593D9C4D01350A2327729AC67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:44.666{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D953DF21CE96F3D7871F975EE3ABCB2,SHA256=B2FC0CB0F6A675A28BABE7BAE9F6CD8CA1A67F9A43C29405F561EDCE193A6C1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:43.487{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33017-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:44.319{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06ED67342961079BC5AC58314A249DAE,SHA256=65DFA629E02AC677945F70C8A0CBAEC0B527356F9EB4AC944EC587D3CF88B2D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:44.508{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7DAC08B751CB8F51DA85A00CE89BDB,SHA256=CBAD06272F1FA972EB8CA0219B2263B82F59C1B96975E80995D75BDF42627E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:44.352{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50BD779C9F28FE33CD2A6621F24BF474,SHA256=8FA6A6418A4E59CF8AF3C502B487F70AC8B03B640EFADA2240EAF00875F0B9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:44.320{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3C0C96ADA2FB18272CA30335961185C6,SHA256=1F902AB99B9FBA5C884CE71F7681009B2A92AC446451BC4AB5E41F3A7BDBC0E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:45.602{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA4FBC0CE89936D3998183DDBCBAD0AD,SHA256=C5EBB8C1B525392ADE78CA8F809AD25101C3BDDC2AD91F675366494DD75E5412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:45.508{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B07F963E7517A36212B589596BE90F,SHA256=D8BC97EAE4F8D0D19B86E4001B6FD68A78BD506F824D115DE10CCDA722CF15E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:45.781{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33F9B2030BFE587DDE1EDE4901784A3A,SHA256=6E28739968EE81713FC421F782160FE3F790A4EFDD8FCD74A479C1552C4AD2E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:45.366{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9512453818D1FC263DD7D8F3C16986AF,SHA256=E97E4B74544645B754C274D94722E587F94A9DC7122B64A18F37D8902FEFFA78,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:41.524{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-2854-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:40.593{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61679-false10.0.1.12-8000- 23542300x80000000000000001290887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:46.914{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C56851D837BD1F12F65541CBBB241A0,SHA256=163E0A6DA183C2F7268C5E60CA1850476F8E4ABBF73E8155C052C3865C34E3B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:46.523{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B183D109271461C1876B459B8F3F2CC2,SHA256=3F2AC4F11E51F7EFDE7E106E4000C95BBE0DB23C9E114ED41E7596EBF949C733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:46.864{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DA62A2EC36757BB301B02E1BCB951DE,SHA256=21090C4C862EFDBE1E3ADC27F3737C6147E5728F4378129C5A7603EC937F7064,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:44.598{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-38170-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:46.396{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742B20CD50426FC95F02A24D009C2F46,SHA256=5C0C54AC4B9F3C6615A5683F10BBD343BF90BE761644F07021F8AA06FB39B193,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:42.777{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-9623-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:47.523{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AC3604B433EC610301CA2A4D7E33A8,SHA256=34278B03165F8A97ED7E922E3A064543D507610D22C0E75924ACE1EC2FA4192C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:47.664{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:46.797{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-49308-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:45.694{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-43659-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:47.414{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA570E287D18BFC297CBA91A2D502652,SHA256=40359D0F004786A7AE58EDBF7565D385162CE10F953EB1F02961BE449910B389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:47.164{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:48.539{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D8DF89389C7942DAF4C8B019571297,SHA256=164EF2E2336511A968733E8EB3BC104E93A51A3B2BEDFA183A062CE7E67442EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:48.432{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14AFC22B0C338BCF226C2A66F22D178,SHA256=4BECF860376E0CB06A671281BD302287CA5C62B126E9F123EA461718F6C264E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:44.098{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-16416-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:48.164{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED229206F62A4CB5DB9B7C4B56FD9F11,SHA256=B186CC93E0207CFD5FE299BA2091B44811B6F9983333A3BE7882C6DA33C8CE3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:48.095{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=650A15BCC7EB21B1710CA1DDB4A4CC56,SHA256=C669365942C6BA4D04434F789AC7A9BB91D56307DAA8978C7FD5F517F7072DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:49.555{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB1DE26866D0EEADB49ED4E07142AF4,SHA256=13D45047F469310CC5A6F2695A67265BD699EB919F7F4CFA448F3863AFFE97C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:49.258{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-2121-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:48.643{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51437-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001384310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:48.507{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-34857-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:48.471{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-34793-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:48.127{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51436-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001384307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:47.951{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-54906-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:49.463{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51399FE5F6485E25233BE988A20C01C,SHA256=959A07BCFB0F0B2DC4F5E80EF648735C63C072A4C7D583BDC65CAA734CEB00EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:49.430{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C422E8144D94AB0848EFEB8129AB0839,SHA256=2005739ACBACF2D8750CBC887C467D00A0F8FAE9D3E12EB5DE2CA53867471EF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:45.500{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61680-false10.0.1.12-8089- 354300x80000000000000001290893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:45.342{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-22977-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001384305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:49.363{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0DD7F7E47EB61A6D5255821F4FFF4B6,SHA256=6CC50C49281BFC52CE27E17FB243B777841BBE57632AACD713ED06E50DED0870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:50.680{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58193904813BE14DFAFA0843A5B595A6,SHA256=CB014DBF3C44F6E8C0108FDE8DAE1E60F20EA7711951BAE699779D2C56B6F11A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:50.680{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5488B5A7ABCC2581AD2F144AD744119D,SHA256=2E876B4EC846E3978C856BF3BCE92172FB35C804A0D1E871D58AEDD2408D26F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:50.307{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-46911-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:50.267{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-46795-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:49.610{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39486-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:50.463{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC827A34590A3A873A7F1A5125027550,SHA256=7838543D53266C6AA38DDB1B7735BDD778959C408CC178753CF12544BCE0C1DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:46.593{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-29806-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:46.547{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61681-false10.0.1.12-8000- 23542300x80000000000000001384313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:50.395{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E595D88F5813CF43F6CA05A5C628DCF,SHA256=8AA3F8D18931AF5061160353F86B2AAE91BEAE00B73532E6A782FB001F353303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:51.727{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55CC2A5AB692F728D91E9A050497633F,SHA256=25687F72F35C542DE79818CD0B14877D35FC3568FCDA3C2048CC19B615CFF1F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:51.479{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-13920-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:51.442{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-53238-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:50.694{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-43663-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:50.379{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8079-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:51.531{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C9B95246DD6F9175041BE99CC8DE1C2,SHA256=921CF46EADA1671517AA4E709B6836A6B843AB47C623EB0D7CB8477477B737DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:51.494{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BF792D5CE1D9B7723A76F711EC7E57,SHA256=ACF6D2D735B4738672FD57C43FE608546B0DA0DF5C29AD731D8E092F6EABF055,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:47.856{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-36612-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:52.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F3F87BBDB23B81A6311F2E8A047120,SHA256=01BA578C59684C52AF6782ED055642183B2544CA1EFCEE12393F9C4001C56705,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:51.781{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-47523-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:52.677{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C380A89EDF455463A492F6775D279724,SHA256=DB1399A0173936D5931140E709BF8ED04BF54D2C27175E7E227DC2B7E28F55E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:52.513{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8848DCF10328E31D94AF3DC49ED460,SHA256=1557DF0784816B381DC0D9B2A29B95ACBD798FD31E7EF86ABE8AAA194CA35AA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:49.173{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-43322-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:52.117{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FC296745080345E633807DB609155B1,SHA256=370E1237145E9886F506C9515B6D91AC4825A62DE48C5AFEF5F7116D8F54C6FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:53.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348B1B77AFCDFF6D5E4B86C82B4864AB,SHA256=A872FE3BFD47AEAE8793DF3DF7021FC6ED99AB4A47252E82E6507288AC5D2730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:53.811{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78D9D9CFD63610729D941793E5FF4BE6,SHA256=B2C9C95CEEE0115D7652DD077DBF143BCCA934B3BE73EB29D54F58F7FB0D8A2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:53.241{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51438-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001384330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:52.874{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-51452-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:52.623{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-19193-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:52.584{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-59029-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:53.529{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BA72E262E3697C976A1F258DFE5DC1,SHA256=8B67157A65F8499B86363AE609DF19E3C28E04B9BC01174416A68D4F489D0CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:53.445{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=545682D3F59D667EA90EF9128320482C,SHA256=36F8DC564DC76D3DF8D3654FA14246F4109B47BE1DEFD2909D7AA32808BABCC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:54.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39E56AACA699D6B6C55D071F7D0676A,SHA256=95C60423A58028AAE315BC70C6BE5534B3C0BDC543BD6C703CC2980CD40A6CDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:53.991{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-55898-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:53.795{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-25517-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:53.707{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-6480-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:54.559{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1A1FF2838BD954CA3F756999603581,SHA256=4B0391644250E89E42E83738AD85B0F301B376E47A80CED5C61FDFE2B71B9144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:54.711{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF6A7295C30F3E39FF70F14FB2A1D54B,SHA256=0EF561E2718965F25DFFAF06ABD69AB57A04B29228E5A5C4E6BB46C2D8F99FB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:50.644{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-50604-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:55.992{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB6C29A1D8B820939E18253AB376457,SHA256=18AB8208BB3B85E02B6314292A83F5E227795F531A520F50A7A890F30C7DAB61,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:54.946{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-31200-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:54.839{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-12813-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:55.574{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5DB1DFF31A4772A90633A2636A1CFD4,SHA256=167B6B5989F6A723B5AEB23EE3329A084D2C9208A5565075D1747988769F9801,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:51.888{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-57838-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001384337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:55.012{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25C2BC27EDDFE3E164F3E158E0CDB14D,SHA256=C7A291317913B67DF48313944E7C05E0EC3CB00B4B5802C7D6C4CBB161936BF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:56.043{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-19538-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:56.024{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-36751-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:55.120{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-1545-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:56.590{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=274ECF33CB505373D930A452BD3B5949,SHA256=AC893D45A90A2A059CB23F3029B293318F867DB1CCD0BE32A94E93DD1F003F45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:53.139{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-5558-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:52.484{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61682-false10.0.1.12-8000- 23542300x80000000000000001290913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:56.086{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C7FACE88E4D0BF444B771C17138A705,SHA256=969A3A8814738A04CC0FA53F48EE2ED7591355B64166D4FE4F755C7650CB42AF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001384344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:17:56.189{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001384343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:17:56.189{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001384342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:17:56.189{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001384341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:56.089{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=491C177DE98CB86B272E4EB47CE76FD1,SHA256=2ADACD6823288C00EF372572328CA43CA0A98E0525F1BE05CC7EDE1B6376D06F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:57.206{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51441-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001384357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:57.206{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51441-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001384356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:57.200{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51440-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001384355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:57.200{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51440-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001384354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:57.186{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51439-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001384353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:57.186{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51439-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001384352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:57.120{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-25744-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:56.295{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-6227-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:57.626{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE024371BFD3692CD95CDD461A5C096,SHA256=17C17D4704D71B119F26BCCAE744F81AE80FFF179463D83F508394CDDA5D64A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:57.336{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D2FE8884359C43E8B7784552ECB1BF6,SHA256=EB115CE6C230B6FA2E3D6A866518CBBCCEA438FE2ADBD9B0BEEDA9C6FBC73DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:57.008{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91AEDB8133D9B18ACF338B8643BD16F,SHA256=86F001ABEFD028BFF774D20CBD665B91BDEBEBCFD0122CB4BD8C5BBC801B4C3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:57.189{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=037B435A852D8026543B50FB6B18081A,SHA256=1741CC8172FB529993B70F5480B6283AECD0D4587D58343CA65D6011016C72A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:57.402{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-43258-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:57.388{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-10447-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:58.657{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF055B95F1D612388BC36FF57C4E265,SHA256=7200FF099F37C7DE9E8B3BEE9A0AFC66D1A6007A2D22372B491149837D2140B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:58.652{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C082EA6FCECEB87D210BF2B88C46761,SHA256=7020810DC91315D3C0E28FB292D61658B1D94ACE245C43A2392D47D4F29C3433,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:54.513{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-12510-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:58.012{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB11E1FBEF2BE50EA2F0E32991E72D4,SHA256=4089780C813CE3D039023CECE327CE7F6E409D78CB02401E4A271ED7D55A0540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:58.326{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7F51B56FC29A652AFA884CEF0BB48F7,SHA256=F20FF47A4F70DDB01BA717D87E98D0E088393982AE3086BEDB64EA14643BA63E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:59.687{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C010BFB694FA465782CE5E0E540CA3C6,SHA256=C9F84585D21EF3D6058112A1D9A96C917C8640269FC51B2FE2FF1159740D05C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:59.918{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94D63B7BCF72532527EDB3E8609928A6,SHA256=2E2E8BFFF641E828644245BE7794C21977134BAE3E92F120C62EFA062884DC36,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:55.763{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-19521-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:59.027{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9D60B7AB0FA29D5560E6C47BB0DD86,SHA256=7BBDAAD269903208E62353DF6B14668BC5D6ADB9A518AF7D5D4DACE2B3FFD50D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:59.407{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85A4E32DA60E27DF6C2A850A781273D2,SHA256=D447B6DE0126BB084B70ACDE02FA7AC610603FBE6CA027A8F7B1E66DFE6C4684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:00.709{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8865F9BD57FA0A9F2F6EBBBFD736025,SHA256=689032BF10F29303FFFA1BC45152BEB7559DD224B3C7BDAB31AA513A8F620025,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:57.096{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-26524-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:00.027{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6E0330C8A916DD364339D6E88ACD42,SHA256=55670074DA2AC428B826A8B934FA58F7A6D459D924EAFBD63FC5C1546F798EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:00.527{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2BC4156180070F186EAAC89210D6C76,SHA256=C59804DB52AFE0144C56AEE0B845DB489F3D5AAE0E9B7EBCF36AC4D3B1786144,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:59.557{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-19312-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:59.342{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-37337-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:59.152{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51442-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001384367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:58.511{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-48542-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:58.473{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-14730-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:58.256{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-31376-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:01.725{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD6E611020F9B7390D78ACA997E10C0,SHA256=725D0D0A1ED986D25637AE0E91E2E602486052D20A8A56391D1162416F5FAD81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:01.169{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2823977A4E5BDB683AC76182C780F01C,SHA256=4CEB28857F807242EF8E40623D1619B067F39D35409655DE95A1ADE174172F7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:58.347{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-33129-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:01.029{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB7195A588EC902FDF81F5AE7B0533EB,SHA256=435461F67995C8D80FE83B86E2E97AE43F92C3030FC6E5ED99A769FAFAADF60D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:01.609{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74B4E742630F47168B1362EB5DB8D6A2,SHA256=1F64F821D1DA3CD049CCD9DF93B865DD799AE01FA49ABC7BDE3E171889CB1B96,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:00.641{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-23858-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:00.422{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-43266-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:17:59.701{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-54421-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:02.756{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9388820DBEFA781E71E093C012A9D432,SHA256=12CB172123BFDE999AA0320BF8AADAE30B145AEFCC8442AFFDA89BA97DCE93B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:02.419{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0377FE5283AE3AE27FFFAF28A2891A2,SHA256=E1A149B169C838BFF8D2EDAD43776D5E31A63AB20D00B3DF6F4F233CA0FF9E85,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:58.473{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61683-false10.0.1.12-8000- 23542300x80000000000000001290929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:02.044{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB957D297B1E94AE9E7F9EA40C85B9B5,SHA256=0134F11794208BB0DF018A88C193F6042E2FB50287E6F85E3358247F0C2134B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:02.706{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BE305FB64C576A8ED362773DA4D9853,SHA256=A85E74BF6095225BB7B93C4518CB35C40E1A1112E8B8A00BD968A99DC33AB8CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:01.735{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-28026-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:01.542{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-49227-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:00.888{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-1947-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:03.786{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C438ED36CD8EAF80E62C09814B58511,SHA256=D7E3D92285435232E28B91B9EA9089167EF8A4044EE4011285F0F4DAA69F4077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:03.786{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49FE3B1C5F9F6DBB882FB1DF6DCD83A1,SHA256=3D73B2C5BD422C0D2DAEE59BFD194CD65E1A5F19C8BBCA56D4BDE147D2C1D7C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:03.685{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94D19EDD40391E720F6B1748223DED71,SHA256=5AE3DDD6BB4CBA282658DB6FC49AD7BD248182FCF005C20BEB1A5A3BA045C1F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:17:59.598{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-39729-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:03.060{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148FE2D6A3C3428F090D8EF74C553A9B,SHA256=4CC314BC9FF08C437C30DC3BE1DCEA11B7BC90DF07EB6D9E8ACBB21A805C3DDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:02.841{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-32363-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:02.620{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-54946-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:02.018{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-7934-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:04.924{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB5F9FDB4033DF9FA9C94F2F04A15CB3,SHA256=748090D235B9E8A40CEAF56141BC958740458993BAEB3651DADD7857A08B8F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:04.805{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF163FE8AD516EAAE29B912D304930A,SHA256=37CE02B43111BEE84B9E9BB3BA5D3EED3FC98DCDE04D44C3C895F13E386E2E31,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:00.847{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-46585-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:00.254{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com22331-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:04.172{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5718MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:04.075{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4ECB8A4E2707D98B789CAC53D948F6A,SHA256=A05F7A8571CCFF901D71D8B866927822E69647AC524AB483554B062D7B6D0B3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:03.164{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-13720-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:05.823{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A616F5BBFD6411E4F70DDB510510B1A4,SHA256=10F9E7C86E9BF2E28A147DA4AF48CEDAFE6B520843DAF08FEAD50B35BB3E57A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:02.114{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-53160-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:05.171{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5719MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:05.092{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FFDA283316FADD1816F2778D1A3BD15,SHA256=6BA29B1AFC69F09F3462BA37C2FA6D5851AC3E1E2E0B3563D68F2CA69632E5F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:03.918{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-36649-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:03.718{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-1993-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001290939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:05.014{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D24F7337455CFF38144A4331EE81B579,SHA256=E98DA4FE5C6DB1D46427FFECB4483409DD9C029549D052FBE405EE1EF604605A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:06.823{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57779FFAD1C5B38E61C5B615C2FD0725,SHA256=4E9BEFD0157CF979F2BF131DF24B733B2BB4B81570CDD76C1E9037683803B148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:06.374{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE5F43980330F4B610B74CDD10E328F3,SHA256=54D8C38FFC1FE5BD46CA7881910BBF9B3B0CC6B2AF350054603928CDF2880AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:06.093{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17AC89D4C547ECB4BFA930FDE2DC938A,SHA256=3C4B6C1BD1BDCC71BE1872C3280616DA1A2F2500D52CC82CDBA7162E0CC68C6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:05.679{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-25765-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:05.306{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-41442-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:04.803{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-7989-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:04.298{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-19521-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:04.234{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51443-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:06.005{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E498E83E246EEFE77362AEB2E996F90,SHA256=C7427241E201DBE0ACF1ED4AE956D0E94350B9464130519FF30CE1535BA6D083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:07.853{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463C429BD7EA6ECF0CE9DB74A25F2F89,SHA256=B13ED69C5C2AAFAD65D751FEC2396A3F88682180851E49E52BC70863926AD5F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:07.624{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52F6B5B724A825AD36F0FCB5C2EEAAF7,SHA256=1489C3856F097D1E46B28F0D7B95082E3F04DAE5154D015A677F615F6909211D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:03.469{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-1258-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:07.343{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88C262CC282CA97B93A229D6C83BE1C,SHA256=60080D97612A90C8D623D7555637D18F16C35B937FB164986C641A81FD095D64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:07.226{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1401MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:07.085{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BC773A353193A16723FB0801DEAB506,SHA256=8E7D7E8C4AF9C7AB4EEF64FB97089EC80DD1600DF1A3D71B2E92F4176FCE360A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:05.941{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-14292-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001290951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:08.906{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=718A28342257FB0ED04CCEB87E8A5E41,SHA256=658ED94B1A4026ED4D0534E7E8FC2F11A25E15A5137BD7F480926EE2C79A5237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:08.562{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84399F883CFB9AA3EB2EF54A05AB422,SHA256=1B792D476FA4957024CF55CDA7849E9FD8A401B9A68DBF291B67FA3C54F1659A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:08.884{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403B7D05883ABA5DAB4FBC246D2DCE4D,SHA256=490E022552F266919C5F3B759D189924A404B04935D3CE800A4FF02C2D9516A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:08.238{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1402MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:08.169{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6C0474871C988EDD9D22943ED31A08C,SHA256=4228DDA1C021ABE21B68F192AD6299DF748C01F7CBB1F759CE53851D0DDD7F52,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:07.519{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-50801-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:07.017{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-20275-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:06.852{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-31841-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:06.440{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-46205-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001290949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:04.801{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-8548-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001290948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:04.507{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61684-false10.0.1.12-8000- 23542300x80000000000000001384414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:09.902{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D490BDAC94AC785D2C6AE5E5B3141E7,SHA256=E76605C26955C57919505927930BD819C202597EC86F1F8696251A80F1D2AEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:09.577{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BC11427A31E67EC81B8609710BE0FC,SHA256=13AFFCDD3387A9DA41CBF0456A19A164AA9563D979EF0891F5A3B39637FAD765,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001290952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:06.090{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-15300-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001384413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:09.252{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADA531E3E32401FE7D09DFA07DDB7D48,SHA256=FCCB58027BA69F2670CA6DB364F477B459201B6232DEEF491DDFB803B2EC054C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:07.957{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37200-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.923{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3568F2E5941D56692FD1DA4AFDAA6F4E,SHA256=50E9B5771E54EDDFBA5D1D09365791DB8D8FA98B038AF8081DC27885F19F7A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001290956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:10.577{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6184F865C5D912BC9AB1D575FC110D87,SHA256=A52ABAF4D19FE5224342915D47F7DA40D0CC6FC1AB2FAEF372BF85573BA37931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.855{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4F3358751C46527B38C7D1237F043AD0,SHA256=9C1CB1D86FD7BFAEEA89F3A3872EA09AFB0DCF3705A5708232FDE1DC8FF81365,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.786{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DDD2-6152-7728-00000000FD01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.786{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.786{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.786{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.786{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.786{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DDD2-6152-7728-00000000FD01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.786{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DDD2-6152-7728-00000000FD01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.787{5EBD8912-DDD2-6152-7728-00000000FD01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001384428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.406{5EBD8912-DDD2-6152-7628-00000000FD01}57646420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001384427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.305{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=890D92075FD87A785F94B1A557321B04,SHA256=3E49E3AE4EFD8609A985EF9A5E55E35C6E72F93D77EAC41FF9C4E419CC2F2F12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.121{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DDD2-6152-7628-00000000FD01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.121{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.121{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.121{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.121{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.121{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DDD2-6152-7628-00000000FD01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.121{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DDD2-6152-7628-00000000FD01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.122{5EBD8912-DDD2-6152-7628-00000000FD01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001384418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:09.185{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-32133-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:09.039{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-43312-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:08.601{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-55114-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:08.102{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-26216-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001290955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:07.335{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-21951-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001290954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:10.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A494EEB20576ABA06A316D4D02A0E51,SHA256=C503065FEA43344F084043DD45FF32F772D15582B1BFE22B8E79CD60DDBB7142,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.968{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DDD3-6152-6CA1-00000000FD01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.968{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.968{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.968{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.968{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.968{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.968{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.968{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.968{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.968{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.968{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DDD3-6152-6CA1-00000000FD01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.968{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DDD3-6152-6CA1-00000000FD01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.954{69CF5F33-DDD3-6152-6CA1-00000000FD01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001290972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.796{69CF5F33-DDD3-6152-6BA1-00000000FD01}3483488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001290971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.671{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC7D10D21180C260246C4D97AE46CAB,SHA256=EEBE06CF8924671F24937F8DB6DE7C93CF6EF03271E9694BCFC4DCC428C9F1CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:11.986{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BDDE221AD72D6D1FA5CD6806B782E41,SHA256=B033B3CC25B49201D96C3635E04029DED1F9547F2E7530C06DFE9820B1E87509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:11.386{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00ACCD2A1D94D5379C0B44E88B36037F,SHA256=6EF30C93543D470141A930A59C4082B69053BA40A46C2FA5B45F241C1D8BAFA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.836{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-4942-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.268{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-37730-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.120{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-48710-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:10.079{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51444-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001384439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:09.754{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-59827-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001290970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.655{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70E9C14DE520EF3D88718DA503454306,SHA256=06F4B8BB95A958C4FFE5ED11200DC5BC76FC992960564F08C90CAD0923A61502,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001290969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.390{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DDD3-6152-6BA1-00000000FD01}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.390{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.390{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.390{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.390{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.390{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.390{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.390{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.390{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.390{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DDD3-6152-6BA1-00000000FD01}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.390{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.390{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DDD3-6152-6BA1-00000000FD01}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.375{69CF5F33-DDD3-6152-6BA1-00000000FD01}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001291000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:12.655{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DDD4-6152-6DA1-00000000FD01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:12.655{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:12.655{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:12.655{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:12.655{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:12.655{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:12.655{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:12.655{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:12.655{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:12.655{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:12.655{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DDD4-6152-6DA1-00000000FD01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001290989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:12.655{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DDD4-6152-6DA1-00000000FD01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001290988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:12.641{69CF5F33-DDD4-6152-6DA1-00000000FD01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001290987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:08.724{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-28795-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001290986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:12.140{69CF5F33-DDD3-6152-6CA1-00000000FD01}34483852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:12.739{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DDD4-6152-7828-00000000FD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:12.739{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:12.739{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:12.739{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:12.739{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:12.739{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DDD4-6152-7828-00000000FD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:12.739{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DDD4-6152-7828-00000000FD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:12.740{5EBD8912-DDD4-6152-7828-00000000FD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001384448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:12.508{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BC5914A5842CEC2E28B0596EE20007A,SHA256=34B3CCE1A37D1783F8311C32FFB12358A811DC8329E4BE433FBC33EA0905CD21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:11.354{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-43388-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:11.322{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-55170-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001291018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:10.086{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-35911-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:09.585{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61685-false10.0.1.12-8000- 10341000x80000000000000001291016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:13.530{69CF5F33-DDD5-6152-6EA1-00000000FD01}24521192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:13.343{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DDD5-6152-6EA1-00000000FD01}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:13.343{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:13.343{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:13.343{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:13.343{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:13.343{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:13.343{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:13.343{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:13.343{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:13.343{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:13.343{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DDD5-6152-6EA1-00000000FD01}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:13.343{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DDD5-6152-6EA1-00000000FD01}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:13.328{69CF5F33-DDD5-6152-6EA1-00000000FD01}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001291002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:13.077{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=664D5F9A56BFAFACBCD38275CB2255CF,SHA256=E130B77365657157578720E1ACA0AEC4725E394398D718D055C5E985BACE11E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:13.077{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0D11398CDEC2233ACFB0E20BB193D3A,SHA256=FDE52813AB17C2B63AE5BD4C5D892339E655665A7E1A7720B4CAC1B4EDE616F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:13.623{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF3EBAFFE1C14C9371502DC1AC0B8670,SHA256=0CC9A25070ED40A38966C7F63E8F93B2127B49FC301D9819A05CEEDF3A377A62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:13.569{5EBD8912-DDD5-6152-7928-00000000FD01}69526980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:13.407{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DDD5-6152-7928-00000000FD01}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:13.407{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:13.407{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:13.407{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:13.407{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:13.407{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DDD5-6152-7928-00000000FD01}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:13.407{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DDD5-6152-7928-00000000FD01}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:13.401{5EBD8912-DDD5-6152-7928-00000000FD01}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001384460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:12.467{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-49348-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:12.426{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-1677-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:11.917{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-9318-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:13.007{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8248A2269FB88548B802F5AFA47AC8BF,SHA256=3D14CF1AF7B7EA11DC961E22161C4645796A662A61C284EA8F778419136311C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001291047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.921{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DDD6-6152-70A1-00000000FD01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.921{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.921{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.921{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.921{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.921{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.921{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.921{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.921{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.906{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.906{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DDD6-6152-70A1-00000000FD01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.906{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DDD6-6152-70A1-00000000FD01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.906{69CF5F33-DDD6-6152-70A1-00000000FD01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001291034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:11.333{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-42619-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.280{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3FE7CD0BBE17D62DFF8C1C746B00FFE,SHA256=8FFEE6C03102D2CDF257D352637776E2B2B3DF8DFF234DFD5A5E57F72D8D703A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:14.737{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=812823F2917D9B28A9120DA9D8145B34,SHA256=A85603205FA84B0B5E4C07D47C73DB7F7DFAEAF3C937D60B921EEC8208B406C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:13.556{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-55272-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:13.540{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-7119-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:13.008{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-13659-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:14.022{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB885C8B2DC7DFD61061E342842C94D,SHA256=97FCB347F8C6BF611B7D80CC7C77C917B375D546633BDB07628DF43C74BD01A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3F4DC114067617CC49A0A654288A716,SHA256=B1CAAC9C2EB1CBAB3B56D2AA6D7D2A0E199ACC45934D16B63F0C02693CC36072,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001291031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.031{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DDD6-6152-6FA1-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.031{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.031{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.031{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.031{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.031{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.031{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.031{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.031{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.031{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.031{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DDD6-6152-6FA1-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.031{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DDD6-6152-6FA1-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:14.016{69CF5F33-DDD6-6152-6FA1-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001291051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:12.585{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-49463-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:15.406{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B24190F1009E77D45739EC1E4F8ABDB0,SHA256=F8D82038A6D011A4EBF176EC048B386B838C7E58BDB4EF04FBA4DA0ECDD32430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:15.374{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CB5D5451FD0077C085004CA810F9D2,SHA256=8F761D73CB1FA4B135AAB3167FAF448A4DB6B0D912687E7560FC8368E7CEE586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:15.851{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F38B802E513EEF66CEB8904EDC29796,SHA256=D5D9D955D849E949C5EA48B86674C3C6B08982E43A3DEB813F9F48465B131744,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:14.685{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-5887-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:14.670{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-13103-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:14.650{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-2288-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:14.099{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-17867-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:15.037{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF3D63C464C9F224BC36CBA3D57E8246,SHA256=BF4E138E32662C0D057BB9F8F67F9F3B7FA111DEE9E457830603A65169B29D1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001291048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:15.077{69CF5F33-DDD6-6152-70A1-00000000FD01}3836136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001291053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:16.905{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B83B09D4A7D72758D15C472BB0754763,SHA256=05594C9704D30A89BF675905E207FF887A5FA07744D3BC371BE872D80070614E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:16.609{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32EAFA825D676933853778185EB96CF6,SHA256=809955695EAB157BE2AC095E8B7F4E0B18329A9081F1EC34214A52C0B585914A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.866{5EBD8912-DDD8-6152-7A28-00000000FD01}63486364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.666{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DDD8-6152-7A28-00000000FD01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.666{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.666{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.666{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.666{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.666{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DDD8-6152-7A28-00000000FD01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.666{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DDD8-6152-7A28-00000000FD01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.667{5EBD8912-DDD8-6152-7A28-00000000FD01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001384501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.035{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20351-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.018{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-13283-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.009{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20020-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:15.993{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-13142-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:15.972{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-19883-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:15.969{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-13001-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:15.945{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-12869-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:15.931{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-19828-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:15.922{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-12746-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:15.908{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-19653-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:15.900{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-12556-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:15.879{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-19245-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:15.876{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-12202-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:15.841{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-19101-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:15.838{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-12055-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:15.785{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-8419-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:15.218{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51445-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001384484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:15.216{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-22639-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:14.726{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-6141-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.051{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DD624612E7A1BD9BDDB6F0C7BA9C3E,SHA256=543ADC74B02C1E4EF38E1EFF5C8D56156866E4F0F299560A1C345DA1DE7AA7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:17.734{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F506CF133EFAC55AAF6BA3BE3A739C3F,SHA256=F0CE4FF2D703EEB011549436D4C46F54C7C07B3C2EF710252CF6BEA907615261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.669{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFBFA4782ECD2D4EBA8C613C268ABD52,SHA256=C78AC06B3CE45637501990FC8EA35B09FEDD086A476B57F564981E32B7329834,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.522{5EBD8912-DDD9-6152-7B28-00000000FD01}66486456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001384595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.401{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7130885C378359DC274D232D3781216A,SHA256=A6F1E231A952283A74EBD536027DAAB9D3F305E51179D8F6E00E1171A8C5F94D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.337{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DDD9-6152-7B28-00000000FD01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.337{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.337{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.337{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.337{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.337{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DDD9-6152-7B28-00000000FD01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.337{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DDD9-6152-7B28-00000000FD01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.338{5EBD8912-DDD9-6152-7B28-00000000FD01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001384586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.096{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-18846-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.062{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-15253-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.059{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-18713-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.039{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-15040-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.036{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-18474-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.999{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-18292-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.996{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-14833-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.964{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-18085-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.945{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-29589-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.926{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17894-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.908{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-14465-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.908{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-29519-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.889{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17773-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.886{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-14150-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.885{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-29380-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.865{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17689-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.848{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-29306-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.842{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17599-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.826{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-29229-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.819{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17472-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.801{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-29086-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.783{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17394-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.763{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-28920-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.760{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17309-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.736{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17202-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.726{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-28837-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.713{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17046-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.704{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-28692-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.676{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-16906-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.668{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-28599-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.653{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-16788-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.646{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-28501-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.630{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-16655-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.623{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-28403-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.604{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-16453-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.600{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-28314-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.578{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-28209-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.564{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-16264-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.556{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-28060-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.533{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-16049-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.519{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27949-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.497{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27865-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.494{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22635-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.490{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-15828-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.475{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27774-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.471{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22524-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.453{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27628-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.448{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-15593-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.447{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22407-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.425{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22225-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.417{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27489-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.410{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-15275-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.387{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22122-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.380{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27338-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.372{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-15024-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.364{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22006-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.346{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27244-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.341{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21851-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.335{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-14799-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.322{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27157-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.306{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21730-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.299{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27077-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.297{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-14539-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.284{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21628-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.272{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-14370-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.260{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21519-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.248{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-14147-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.238{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21334-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.201{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21141-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.165{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21025-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.141{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20839-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.106{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20741-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.082{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20633-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.065{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-13577-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.059{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20492-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:16.042{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-13429-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001291054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:13.987{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-56747-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001384674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:18.337{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B169647518D6A8E0B9775E37CA76281,SHA256=6EAAF266D9E44936E2F7479FC91820E9B5AF433DAAE31CCBC86725BA450B8576,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:18.005{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-23769-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.986{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-20042-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.981{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-23298-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.959{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-19898-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.940{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-23159-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.919{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-19771-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.916{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-23002-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.882{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-19636-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.880{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-22839-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.857{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-22553-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.847{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-19490-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.825{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-19371-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.803{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-19159-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.793{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-22470-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.766{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-19020-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.743{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-18798-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.742{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-22309-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.713{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-22089-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.703{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-18706-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.680{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-18545-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.656{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-21962-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.652{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-18318-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.633{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-21825-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.611{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-18219-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.610{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-21653-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.589{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-18047-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.588{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-21485-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.565{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-21343-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.555{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-17945-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.543{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-21191-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.534{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-31987-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.531{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-17795-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.520{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-21045-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.508{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-17608-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.498{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-20904-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.498{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-31884-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.476{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-31752-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.475{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-20758-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.471{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-17399-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.453{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-31606-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.453{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-20584-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.433{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-17265-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.415{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-20449-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.412{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-31501-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.410{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-17123-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.393{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-20311-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.389{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-31362-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.388{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-17001-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.371{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-20120-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.364{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-16810-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.355{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-31217-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.333{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19963-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.327{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-16712-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.320{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-31098-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.305{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-16605-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.297{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-30975-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.294{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19862-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.283{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-16474-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.275{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-30789-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.271{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19687-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.260{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-16294-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.237{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-30707-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.236{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19511-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.222{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-16166-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.215{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-30555-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.200{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-16052-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.199{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19411-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.179{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-30252-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.177{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-15832-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.177{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19318-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.154{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19132-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.143{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-15645-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.142{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-29971-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.119{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-19024-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.110{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-29841-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:17.105{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-15454-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001291059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:15.397{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61686-false10.0.1.12-8000- 354300x80000000000000001291058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:15.331{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-4955-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:18.734{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F7E9C20DF11E2F37519AE158FE8141,SHA256=40721C026A6CDF849216628D47A11138501C49BBAAC9C5740ADB57DA5623A1EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:18.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ECB78303EA2556265DD1E0F8ED992C5,SHA256=474CA85855C549549C2F868390A0A7A99B56257A82AF0F6261D6EF30A582FCE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:19.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30AB3D492C7FAB68C12E3B56C1FE0A02,SHA256=0AE823A2057AECB5C4996DCF36E8BC2EA3394BF302BF87526F7AC324FE39128D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:19.452{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440AFF975CF46E2843ED3609B4F6F446,SHA256=913408FBB5DF03D73A14E8EA8090C7523791D45625ACD8BA97215F5EE60E80CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:18.243{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-21646-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:18.220{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-21403-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:18.182{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-21250-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:18.160{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-21121-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:18.148{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-24743-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:18.137{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-21005-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:18.122{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-24506-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:18.113{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-20864-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:18.091{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-20648-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:18.080{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-24344-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:18.054{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-24211-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:18.049{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-20418-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:18.030{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-24053-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:18.012{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-20289-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001291061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:16.645{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-11808-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:19.468{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92683F272307044B53E735E69191C134,SHA256=BBE8CFC19F1C8FA188555DCB705800CEC58D6EF59477C1F0D18111EC08F66918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:20.875{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EEDC929CBD03B352DBD4AB351AA6AEF,SHA256=3DBA3B3253F892CFF1DB912DD5E4C2005A353A0E1A18EC51386D2EE2DB335A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:20.419{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0BF92F92EB7328721CCC0F73AC3B0F6,SHA256=CF03A44812D710CCF38E57976E4B906834BA9CF0D8D849E924167BEB239763BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:18.266{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-21783-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001291063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:20.718{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EF5AA93362C64CE93833BBFD95EB8AE,SHA256=76C6D00D46A75A7E6202EA0F2D94683EE207BF9724169ECF283C08A266E21281,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:20.004{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DDDB-6152-7C28-00000000FD01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:20.004{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:20.004{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:20.004{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:20.004{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DDDB-6152-7C28-00000000FD01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:20.004{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:20.004{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DDDB-6152-7C28-00000000FD01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:19.999{5EBD8912-DDDB-6152-7C28-00000000FD01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001291066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:21.875{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78CF95BAEC92B886846F1B84BFB6657,SHA256=DA979364FEE221086EA671375A216A8DB9EF6A458CD31E7AC9E42DCA716708F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:21.465{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2338C38416008E6ED937BE435002C2,SHA256=0EAEFC79CF760482ABC0EF222694AD4BE6CD7D600BD5CA4F6015284B0120D01B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:17.894{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-18707-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001384700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:21.003{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F136F5DE351CCE42679C639C223917A0,SHA256=F17E6CD367080A963A798A6AD2ACF52F1FBF64170C6D81F03506FF0849E6CCB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:19.146{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-25521-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:22.875{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2579653A6AD4DA87EADC840F175276,SHA256=29262066D2AE1CB8EB76DD32322807D3662405DC2A54AB4485B28010DDC800E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:21.162{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51446-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:22.480{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD406135FE6F00DA7329AD859CD7B71,SHA256=BC68B7A39348A3FC3E4F9CCF61F638EF96512FF41159F73782A3D6D8DD5DFDA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001291080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:22.500{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DDDE-6152-71A1-00000000FD01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:22.500{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DDDE-6152-71A1-00000000FD01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:22.500{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DDDE-6152-71A1-00000000FD01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:22.469{69CF5F33-DDDE-6152-71A1-00000000FD01}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001291067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:22.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FDB13B811A96475DEED9760BF3BFBD5,SHA256=C98CAF0E08EE9E12341134B3FA16F3E0F5DC903068B8E7348BFF7F8D26A1C016,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:20.500{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-32818-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:20.476{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61687-false10.0.1.12-8000- 23542300x80000000000000001291084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:23.890{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E26BCA1DE1E4BCA1E69DF510D81A72,SHA256=4A480F3A10568E8622926E9AC4EE2DB4FAF1B832802D9051EAB7BCD1BE5EDB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:23.497{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F140A2E4D8A00241BC7405477345DAA3,SHA256=5F6A7494817B8BAFF4C2C7B37A33A98193F84A025BD8CECC1B25E56911F506F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:23.312{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E770CFA71B74AE49C8314A4B9A832AFD,SHA256=47CFA2C28D6D1B8041A105CE1F302342982BAA6F11F5C0A54E253297BD8E7EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:24.906{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A1C8072E846560C688931DED8D721A,SHA256=5B7CCA43658721DB96B24B8E5331CEF5CA747F3B3493D617D6B0E5BDA1F9BCEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:24.515{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F4CBB8F6FC0C5A6B96DC82D481C38D,SHA256=4E3D2D3850FAFA43CFF1AC908065BBF5DB06CAD1AA076877929656282B3CC3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:24.562{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A52E755F8F4BFE72555DCDBE071E179,SHA256=B10E3E096E5CA380D41D02164D55A3E159DD24840A5875ABF446950D0CC22DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:25.921{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F968AECB60BF2F48E3D542F63D753B5,SHA256=8B93B42FBCB9A17B12B27E892094EBFBCCB67CB5D7AA5CAF3B228EA754B5C104,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:25.561{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21E616BE4CE3FA7FA352A26FE15D0FC,SHA256=DB1CF503F0A232F554F984C9835F2065CE5AF792006D6AC84F7EE62F68586F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:26.968{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0AEF6BE931F12B06A3FD003BDA576D3,SHA256=1A3ECB62075B138729C3C8D5C0BB7BE0DD6D1F16B80A0B4D7B7719D016B92F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:26.576{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D322D0AF4843E9AD30D981CDFD41EB64,SHA256=EEC9570A51FB7F5B9B467A1DEED14199915C666544CC49808DC4B280A0A76EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:26.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67FF183DD345840409E8828EF66B02C8,SHA256=9EA88842699977C2F36C50F7DB12C413B2F35415075E69D7C370C632E8145652,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:21.740{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-39452-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:27.984{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9076596A1E0966364A9253C6678DF308,SHA256=214DC14081301D0B8C4648B08288825670B0861F7832ACB627E1453E48AC462A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:27.612{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F47EC731EB2CBBAA751AB58E5C140525,SHA256=407F839E4B0D9BD671103F640E86E83D9D6C476ACAAB939F0BBB7DF1EFA988F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:27.468{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3065A3E2A29CC080027BB4E6076A320E,SHA256=73CF1B9E4A2B8FD5B1CB887BC0B49691EAFAE82BA211F73D2B16FA3E56936052,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:23.136{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-46743-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001384708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:27.124{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51447-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:28.627{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D933885377771D63F88FF9A89EF7EA1,SHA256=13C9ED8DAE12AA566BD928060814730BFC8EBF304FA896AC3741A1B706754C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:28.734{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=600F64BD801D467C8E69ED1F32C1517B,SHA256=C345BD0FB534382C131CD6C86627AF5A845EC4B04852A11DF49BBFC6CCFAD112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:29.641{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53AB5717FAC61E8D6F9BD48782106C8,SHA256=AB02B57F79B4581F0B432E1DD9E9045A52BB7EEB08F33A253DD325FD371AB7E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:29.968{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD8A80A8EC26C87687C4E2B0F556F207,SHA256=57215DDE6BB37D15AF24538B33C33130CEA0A20AF13ABDEB8A79F66FB3D17FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:29.218{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF4F6A15E9C580905FE591030C8C57E0,SHA256=A3AC868A05EF3DD435BE0C19F568853A1441356E95959231100AA32EE3B22402,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:25.915{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-2329-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:25.492{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61688-false10.0.1.12-8000- 354300x80000000000000001291097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:24.596{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-53759-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001384712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:30.671{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13897AE7E205F26D584018B49F1699CE,SHA256=FFC01F22BC14ECDA3938785657430557A02A0BF7864A666A5706330497139DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:30.234{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBCB6F59868EF12EA8039B22781EFB7C,SHA256=4C59AC4AD61AECEB6494E059F56B077274E34CE25000E11B8D18C6BB30DAE619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:31.692{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AF44B69E76F904C11212F00DF6A785,SHA256=3173CCE064383A1F36D1A3749610D45F2C8D76F8217858D77DC02F69E509AE79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:31.375{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DADC843B35DB252B0A6D85E733044AB,SHA256=3DDC139AB0DC4F8584D1B7314EA655A986DAB2A2993E1A53649AB58286E4714E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:31.218{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CD3F51FFC21D0903B4E3536ED0EB391,SHA256=E78336B2E60A72942943CCB7E3BB2377FFC2B4CE91E7C0BB64AEA3F15D39651D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:27.160{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-9258-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001384715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:32.707{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D95164DBEB2D02D3298DAE4F8EFA153,SHA256=86BAF67B1FF783A6362BFBCF0E9BA8584BC563DE0393408EA96D24EE2BBA4CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:32.546{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5390070A92C1F2E592EB3D88CEC4BD,SHA256=A6E91C9C578FC1F66F7A3D4C4D11EAE29DC58339B7F64279378980A5B3DAE9B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:32.250{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51448-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001291107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:28.395{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-15908-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:32.328{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7939AA8F8120AC4B882FF2304431D1B2,SHA256=2498CF7DAAACCE736B8E4280F2959BEF100681333FCF5F6FCEDDCE3CE61F3AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:33.753{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A806AA7E182C1F9AE4E2132AAE3A15,SHA256=8BA10726B27A9F7A5F3E9189098CCA88AB5A0CF8311D54FC7CB1CE2BF4AEBAF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:33.562{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0E12FCF79D3096E8B0E078EBE95119,SHA256=545C0E5BC719CA389F7FD58F692237DDF6619E8280B2C1EDB44E75AA41F75C85,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:29.672{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-22503-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:29.621{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-4486-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:29.596{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-4305-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:33.468{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2912F65457E8B1079799D924F867B538,SHA256=E3E3E5A5DF8FDFE680B1DA1F49F71817E5DE685F774E64C57947826CCF2AC8EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:34.768{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CC169BFC8955A3EBEB3BD07660AC24,SHA256=E75AC7F939604E54C3DFA48E0703BC2DE93E460A1AF04955FCFE7C3D3F70437D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:34.656{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F75AAC69568E493E476BB47B6203645,SHA256=5109413BE7B3B4DDB1DBEC0130076123749F058EB7E2E273D9B17836C36D2565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:34.625{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32F458022BB391E7031CC9B06DB44455,SHA256=9F2B879928C72F5818FE43181DF98B854060DF8226E07EDBAC3732DB0D2CD526,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:30.973{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-29502-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:30.702{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-12101-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:30.585{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61689-false10.0.1.12-8000- 23542300x80000000000000001291121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:35.703{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E7D8BD6241FADDC8892D78AE8ABC17B,SHA256=383214C252DE69A571953D1E8A309BA2743EB78572C559465B5A195CC1CEF535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:35.656{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C65AC91A27DC7E19E69AEE8944059A9,SHA256=DA9B992C12822FCB164E713AE996E57FA067EB9DA1A708C36898D12E3F8698A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:35.804{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B21C0A3769597C7377BC2F941C018FB,SHA256=0F70A1DE4661F7C2F546EBC1B0973DD10ED949F443ADB601F8F1B955E6275A66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:31.854{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-19709-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:33.757{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-43566-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:32.997{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-28306-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:32.505{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-36872-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:36.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A83659AC336DB60BA0D32418342014AF,SHA256=5C5683A9F79D4F785E6410D1896AEC07C9211C9B980CF26F4C1AE62B2E977103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:36.671{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB08A5244A135511EDBC1C7B8C917A5A,SHA256=D90D62228715FF105ABFEEE7BA349CACAA6DD3FC6883148AE0F276EF2A6AF932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:36.819{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0418E2AA47F29327F4927A69EC069C1,SHA256=E3396DC24C58C1BD20BACC22C2C654EB6F16F48F4C53C5FB65209B29658C101C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:37.834{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29584D5D350E4627039734524958F923,SHA256=C553DBA6FCC4BB23A566DE92908167E3BCF7506775A9AEE0D46283DCAD61F6B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:37.877{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6ED717C233E7B31612CB877D73D6AC6F,SHA256=C413C9E9DDC04277A978B4F6E42C09BFEC907D1D71D31E91B3DBBEC25ED41722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:37.861{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD4F4DC3C27B52A7B093371C5D0AF50,SHA256=2E42AFEC417811BEB12896BBA54002ED8C12D4485A7D813AA53D7C0E2DF7E364,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:34.094{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-35686-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:38.861{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73F2B8CC0DBF14581F525BD94859A8E,SHA256=334FE3340665FE78763C4F1BF00BCEC0B158093D613FB8588A4429DCE3B6283C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:38.865{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254A532B1E0E6A949D8A1A3D26FC0772,SHA256=89752BCAE28AD0E273100B151B3F6CEA8A5D0FD440FE43E9C0762D9789226455,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:38.030{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51449-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001291131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:35.255{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-43877-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:35.047{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-50023-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001384723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:39.902{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025BFCE0743734AE365465CE14C12540,SHA256=089CE109949698791A46954B405901CD962EE9847E5D23ACE15B79A18C8E7EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:39.939{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B18862B1FF1A97E039F5D3D8D43389B,SHA256=BA72F5FE2FA4CD92DB5069263482EB183A33FC44C39F1FA2FEAB1840A96B3BDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:36.346{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-51316-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:36.304{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-57079-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:39.064{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAED602BC168EC8060980E4788064227,SHA256=9EB6156163AD7023FD3B98B56132F601CF922F8CCE8B36AD5C21C99A838CB45A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:40.923{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C0BB76BECB4ADF9C6F94D69565838F,SHA256=49D509F7367B05416D276E92E46BE34BA4946226A571F73F15952EF1FCEEB47E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:39.853{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com44982-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001291138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:36.494{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61690-false10.0.1.12-8000- 23542300x80000000000000001291137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:40.377{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22A433AB0790530DA33B6C3D6885F587,SHA256=A1935B594A28BD713FBBF179B8E72ABA92955CA8C81E451CD67FBE62263635FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:41.923{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558B11ED1A21C8CD7EDFDB1902164728,SHA256=F414DA37A0996AC7F02DB42C058F34D4CB4D53B4827009F8E2F5B50F614D243E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:37.554{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-5123-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:41.783{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7753775DBB9D8E8B64F17A1565926A3E,SHA256=853D676AE5B545EA18BB67DC81D76732B32F8A9588C1CE0AA3310AECA336E738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:41.049{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A59F74507FD6C4714E1BEAE023B45421,SHA256=2933EA5E3255B6E805CD29DCE0FAF6014A539955E03D3C98AFBE7FABC6B8BB94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:42.942{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771299C1E80F7816705B81BCA6D4BB82,SHA256=40A346593386EF9FDAAD715F8082F206D904123E96C7E71C09B123B5742DA31C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:38.953{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-10994-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:42.050{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8C391788DAA94D3517C95D055807E3,SHA256=2AFC644DEA57F630F0BFE67A95B8BB6E3DABD40459A238EF0656A8468873C6E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:43.956{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87AEAD5A2F1F250D4481FFC61D970C37,SHA256=79A795D820E0E7B6918AFA7F837DA34BC9E5E6083ACF5BF21400D09B8A073795,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:40.498{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-58810-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:40.210{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-18409-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:43.189{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D72CFE8D014AD95CF63E6FA84695E19,SHA256=9E116B7E478124886E2B4E01204486208904362330843AB32A5F4D32898EAADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:43.064{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC33F7FA90CA586D72CA1F0CC34EF8A4,SHA256=3982525091FBE8E6449992F320DF1D81D116FDB342168FA8BD43794A9442BC3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:43.050{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51450-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001384730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:43.050{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51450-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001384729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:43.073{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44DAE093279A10079AEF7D34EF1CBD39,SHA256=E17B398D6B02680A2A5FD4C95E06B60D537314DABBFCAAB27A67B475CACBEE53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:43.073{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1394FB767D229382335338A157A3DEA,SHA256=E03FF6252CF2BC6936DC220CDF1E234FC912ED1BD3CF67F2DF13BC95E3024B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:44.971{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DFDA5C9179F1BA1183E098AEC55290,SHA256=764269FF4D197F9E7D49254184EF534A7FC5BE37B26017B3D14D7FF2BDDE33A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:43.206{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51451-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001291152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:41.625{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-29060-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:41.617{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-26101-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:44.330{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F10EB77BC7658A72CC2345F1F35DC47,SHA256=93DDF3C5990E6EEC01892E4DFBCB406A8229DA553A117BDCB02A68BFFBD96413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:44.330{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CE8917664ECD456AD8B426E55762A465,SHA256=583AFF61A0D9B72D32A416505DB6DC62CF2614409FC14DCE6E9BFCE07C42A016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:44.080{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E0085C463BC204D272437F16BF2B88,SHA256=CDA713F8F096689D25AB8AF9B07107A0C06AE7430B2E5C36C43AEE9363BCC0CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:45.987{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D488644F48E8EEB3B8623C7B04826DE2,SHA256=E2B0DA582514C76A3E0B81158823236F65420395F9B234F28C2E0BD7DD870F21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:42.867{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-32711-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:42.720{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-36835-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:42.447{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61691-false10.0.1.12-8000- 23542300x80000000000000001291154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:45.502{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50074420C84CBC6F8B7D6CE4C8A93578,SHA256=8A0D1BB5601C33915D87E18D8160A8FAA044833653929A300968C2B98FB8590F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:45.095{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31468AAAA043BBC26BC072D71613E8D9,SHA256=D26042E81DDE78FF467FE06BC836EB1C015ADBC20038702E6C2EEB64D111E666,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:43.895{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-45225-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:46.642{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60E04ED43E77F56340BB53FF2355550C,SHA256=15AD62BBA67DB97501B26538C8FD4628F470C2EB1BF4D5A8DBAE9ACCDBB83FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:46.095{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C5297684309B84AC29EF9B8DD002AE9,SHA256=284FFA928BA3F629792F632725A6F37BBD14716BD59B0143F92A50256D3A5DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:47.767{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C09D75FB87DFED208CB18E17E203EF45,SHA256=5A3A5AA23F0B574ADCE939B8BDB6E28E32A27C34068F3FF37DD99EBB8450E09B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:47.189{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:47.111{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3608609B89E4BA571B8B1AD0EF7E2E21,SHA256=125545F6210069A0240D99C4F192CC1E16E83992297184FFB2D516254A2BF57A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:47.688{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:47.006{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC9BA70A0F9919AE5731AFF44EE7C03,SHA256=7EABF165423F6F3CA3702DED134E448FB958FD0C2B209F0A2B1ECB69E3D574C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:48.892{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94CF5C3CA9969BC2458DD7496AD7919D,SHA256=6A449C99276C99522530CC3119D0C4C977B15BB9332AA18E49099C499E7C2247,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:44.334{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-39425-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:48.111{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671C2CA05B515CEF9CFE9F37E992C3B1,SHA256=26E81BFD1C5DF312D3F22AB9DEE8FE93707F0A3F4CDDBB1225A7D62CFC609F2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:48.663{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51452-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001384738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:48.021{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E693EC6C4B7973244051ED3A7B737B7,SHA256=F74817A4ED4C8CE441CB582A13423FB09E0A315C8FABF16AAC943A2CA9624F5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.200{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51453-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001384773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001291171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:46.152{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-1619-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:45.616{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-46853-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:45.525{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61692-false10.0.1.12-8089- 354300x80000000000000001291168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:45.028{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-53170-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:49.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D556F1BEFDDE1A21C2EB80925DEF4C7F,SHA256=224B594A1ACE15D2C35AB9017FD0E2DFD28F6605089837D58F513964031F8974,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.204{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001384740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:49.051{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F649CB64F952229AAE5B88FB8EA62F,SHA256=B56078D6998B5062B5BAFC0F82FC6BAD75C43C95171D721E8F3CCF9CDC376DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:50.434{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656B49F4E3DCFAED040AED180CEA072D,SHA256=743642AF2C826A8AC07CFDFE955C2566BCAB4B33EA8B5F5AF3243CE858750519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:50.158{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1090C5663C3943908B892865285BAE7B,SHA256=A101462B233046CFA65129517405A3932CA1DC33102795273F6DAA4A034346AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:50.142{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2802935184DE414277E51D3FFC943CD,SHA256=44829C1E85C49146C2C1C0E4CF1DE0A2033487838AB937E7846973B9DA046778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:51.434{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=856B92DC39067482E207D34BA2624D14,SHA256=DC946002A437E2A89DAD7CFF63973BF0655642EA45AD80EF71134C301D8357CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:47.556{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61693-false10.0.1.12-8000- 354300x80000000000000001291176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:47.267{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-9693-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:51.236{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D302741438A7FF814EBD90E90CC6A26,SHA256=D95B0FC1D0F7F6C7BB42C04E0B82C422D9334888B7101774C1DF859886BB8906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:51.158{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0EE9B24285D2A1ED9B8ADC591084A6,SHA256=0706A709F5DA990511B3DFC0EA040688B5B549404AAE8906126CD56808DDCE15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:52.448{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34BA904D7D095E81F685E16554B4109,SHA256=8978C519B49CAC50B33A0815694713E91D4FA83C374F7E5137D5E9B9ADF5F525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:52.502{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCFF0E988A9B32EA03CD5C1A1AEA61A9,SHA256=CF667CD887204526A60CDE0676B7F4594706430493B8F0895C0E2732520F2BA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:48.531{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-18331-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:52.174{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D42467F3E0C96DDB08181D3BB47BEA94,SHA256=A9D7AD4ECD0891336AE2A543F4C6A3FC9676DFB3772F7D17A1CDD5C903511115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:53.481{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560ECB852D46D4913295FAF2DFAC2A9D,SHA256=B20ED922173011D19304118FDCFACDD0820C6F7A1379ECA30217DF4210A1B14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:53.720{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E75CB2336C402D5F1A2C8F2415135EC5,SHA256=BDACDE0926425EDD83210D375F0D3ED9028C60B5D0B4034FF1E4B2521458C32C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:53.174{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A924E1D81E2DABD85BA8836B096ABF,SHA256=CFB790E3DC0505441C3810BFEC9B945F5FF1FC07007936E0F494AC13035C5AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:54.500{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28717094659585BD15F2D3C69D19A5FD,SHA256=64ED9BA940B8EA97A388DB09CE237186F03B7C59B94B53CDCC73F6A899E1E3DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:54.783{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A3379C8DC89EA7F882B22C15CAFD94E,SHA256=B65450BC5E82D85A5A569E586474471C10625C0F473D0795ECB5E2D3676D8E49,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:50.990{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-33694-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:49.753{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-26254-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:54.189{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356592712E09275195064BC866609637,SHA256=ED8D6997F42E99EDBC97A6CBDD71FBB9B7366622823526C810BA215DAED0C6ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:55.515{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4DE20D525F7DAEDC9F24EE31B4F81B8,SHA256=B4D7184250344C8289D4F6E36BBBD003DDEFDC553A20AE370F96706686FBA966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:55.892{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46DCE561CA568ABFC3885948B8F82258,SHA256=0DAA1596ECEAFDD98DBA420FC2EE5F1AFD4C3118DD4259A487C362933D493BD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:52.092{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-41770-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:51.708{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-43321-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:51.656{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-42793-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:55.189{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A45F481DBB48F93D5D50EA87497FFF2,SHA256=28F4ACF7CA6D5BEB26854C34F5B660900B866DD94644959F98004F5B4B7603BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:56.518{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CE9312C87AF7D099302B13E0ADE730,SHA256=D478ACFE54147DF2FDBF7F47CD87D528E3D7B96DEC57DFB6AD3100D310025F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:56.970{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9376D17CB346AC98E564E63EC6D70FD1,SHA256=4DCCE801BEE4FA853DBCC0EFDCBCDA04A430B2C2D89FDF59682489BE0247B86E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:53.174{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-49846-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:52.935{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51670-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:56.189{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36DB315441AFC471AB4538871A4E066,SHA256=631733FDD68565B51017D13F6E6D62862D7A071C316D7B4A74E24B56E0CB774B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:55.217{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51454-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:57.602{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0902D6855996A35B31721BF273A5740C,SHA256=4DB653497A50ADEB40AD527D83558696DC99CAE2501FACCBDBEE1C4BC8ED15A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:54.155{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1661-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:53.415{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61694-false10.0.1.12-8000- 23542300x80000000000000001291196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:57.205{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=788AB4CC08D0DDDA9B8CFA8A6ADFDE18,SHA256=C0B126C51AAE581A9C949297F4C3F3C7EE4D2C93C0357A062D5A9C3143DB454C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:58.632{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE2FF3AEBD3C4BDD7BE4ED86BC25904,SHA256=F436275E056C5C1CDA60AA6A666389E255A9DC9B147953DF8CF741225A73A392,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:55.343{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-5841-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:55.279{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9367-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:54.264{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-57479-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:58.209{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F96B0DB81D901F06C0A631CF34F3AB1,SHA256=D825389D715C544A970317D1E37197979264881638F76FF180A666ABB34BE6BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:58.021{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49A5E09D65362ACF10B86F00D79FF8BB,SHA256=9E732C64BFB09276000A39024534B3685AB77D75F3CC9AE056657B4098AB3880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:18:59.663{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0AA2145C500C608EE19C03662421C4,SHA256=85D118D23C6DC8856581D2603E7E4BC07EE414081D6D042BC5DC1ADE6DE31E8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:56.447{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-13533-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:56.408{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-17377-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:59.224{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694577A98F3329A73C621963C26CFA91,SHA256=DF18C94AAD5B8A3FF875565B6C44108073BAE24A66E2B8A7ADFD0D1DD0DBEF5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:59.146{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A457AD67BABA02BEB7738F7F314CEC5,SHA256=1E76F66D912E97DCF27E2B796E6FE0F3C0514EECA36061408A50653345B8B703,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:57.627{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-21652-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:57.519{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-25318-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:00.224{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3077061CEFAA1113C9F27A92FDD14E1,SHA256=C94027DEE405B6B5A61D6E17DF62E12595EC0D7641EC7D24FCA5578229FC23EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:00.224{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99CDE316243829A51F6954F2512C733,SHA256=381C97CE22ABDE972E3C3653C0EF0D57979837D708EFAC1FBA8DF06CB8802F99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:00.681{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B565FC90CDAF70498CEEE07A284E4C35,SHA256=DAD194823C3452188B740A9965A33461ED742C0FA6127FF011194825D3986304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:01.699{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D7CB955E05DCA9E7E1D1D9A54D690BF,SHA256=A32682B9D3BD2CAB79E189586FBBC166A8B4D3021D6AC7F98ED43D1FDA3A94A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:01.302{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B889E3EF39E0542988E2329C85DCEFDA,SHA256=10FCB5083D3EB1BA148EFF90A9F79F1C0D8D9661A64261B2A9A48B5347EDDCA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:01.240{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D70C395C905F09D0840861EF9A8AC2,SHA256=8E42EBB259507B252BE3AB443E3B0C6481C8FA3BFF5E0AE39CDA112F60A609EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:02.729{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA97A3FF9FC75912F4B9CFCCA3B208E,SHA256=EA917E77EE732B961D1FB592715489933A1E62F953376DD6E02DCC7DABF92EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:02.365{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEB49A831C69AEA5B0324EE834DFF739,SHA256=55332C5A9B9C970443FB77D60BD441EAFBA74985D050AA522B2F237231E90165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:02.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBA2AB98136114ABD97DBA9B62EAF4B,SHA256=367C832F3B3A4C2B0244ADA89DC4B129F7356400032757E0099C38923DC0E504,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:00.996{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51455-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001291215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:58.597{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-32889-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:58.544{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61695-false10.0.1.12-8000- 23542300x80000000000000001384790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:03.797{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8925289F033CB28A63624DCC26D31431,SHA256=8B19364807951DACBB89E5FB6E3946219AA229A078FA7DC67C389FA15CA1D29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:03.568{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BCF73EA1E5980C1F0D44753F2CC4625,SHA256=5C305F2D2022A48955A76B763F951060480B79F29AEC0C93BE4F10FA7B85B743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:03.271{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E4B8BE802DCE4FA7BEAD0C323D0CD4,SHA256=FC00CBA0F5CD52BD2420A67AEFA2CDC9987C53A95E67019E6A46D497741FF167,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:59.957{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-37938-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:59.674{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-40521-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:18:58.826{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-30026-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001384791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:04.811{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=655A01987A9CFA3494974F1632323BA1,SHA256=F617C822AD3DB06411A836CEB918779588404E0CE5FE4AFE19168BA1A8271EDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:04.677{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C1791A8EB16C28587E4049A5F7E3CBF,SHA256=C946B9484A90C7998526C4C434BBA91B75C953BD93E18DAC6BC0802B7C21C7F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:04.287{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F52899437EF5475023043E9BB7A560D9,SHA256=8A766F5DCF857770F60C6DE61544419B6145940C45491CFFB88392B2F4AF2677,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:00.767{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-48302-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001384794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:05.842{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE79956962A7044F6C4BE50B7F62B971,SHA256=F69FCEB9613367812A810D8FCEEF717050908D414422339E2C688FED2D9361DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:03.050{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-5137-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:02.377{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-53987-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:05.746{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A31D2020681E466BB2CC95BD26C47213,SHA256=01EFCBBECF04928E2E52866000AB49C293A77C16547CCE6057C24C049DFB8525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:05.698{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5719MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:05.289{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8086D16F3459F4837F2933B78AA201E2,SHA256=F56BA415914BF4DDEBEC0840AA6EB37916D3F829C883E6DCE43054376FCD4294,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:04.914{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.116.142.22-142-116-103.speedking.in50383-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:04.901{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.116.142.22-142-116-103.speedking.in50380-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001291227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:01.957{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56667-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:01.266{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-46257-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:03.491{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-3026-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:06.833{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25BAA6E3030AD76C8778F9BFB142E5BD,SHA256=4B1884DF42FE4DD214E9BB926CF438C5CF3061B64B08C2083E6094B914693F99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:06.710{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5720MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:06.522{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB704C2C7ACFABCEABEF56C277E1D6EE,SHA256=56BF4C999889C9EB3E2144579D26E9A8DC843EEFCF3B371D98C1055958E1C792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:06.856{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A1353CD70A93060A87309D49B2CD3B3,SHA256=4005057D514062E22B49BD1E37EC664DCC2FC0B1AC1DD3F3D2DBDE4D98CEB878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:07.874{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24C53DBAB2602D5FD1FDCBE3A3D24F2,SHA256=3EC30C343F4E96444389869F685514D1CCEFC74ACE5EEED7C954296A05F72D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:07.570{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F6B6AB59F67FBC7D4F504C4561FAD3,SHA256=1A5D93D442FE5F706DDE3E483D9C5A7E5DC5222AED7A0DE6C7FCDFEE618FD3D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:06.206{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51456-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:08.892{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2693B31878AC6714BD6135F2F0E42B,SHA256=33EB0CF52852DE88F66943B861D2AA997C75184D574D2CFA55E8D428E2889050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:08.679{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63CC0A24E93E8522CF60966DE42A061,SHA256=B8CB25810BD27E5F176B208AAA00D8A2BF9839059FB1D66AB84023B4EA26181A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:08.773{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1402MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:04.585{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-10895-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:04.404{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61696-false10.0.1.12-8000- 354300x80000000000000001291239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:04.128{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-12900-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:08.007{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C675FD33627FF495FDADF1AE1506877,SHA256=FA2262CA6A305B96B3B9972CDF99A16091D4C6874ECDF2331CFD20F826F34B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:09.907{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E667E3EE3EDA0AF77339AE95DE64AB,SHA256=275FA26B060C8D3B9434CECE96951907F9E82F478BE67DAAAC5013CB26AF6216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:09.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88C5AF6F7C356EF2C489B49C74D019F,SHA256=B3E60007A8E756543254DB658CD62C06171F88ABD80B8F27BE6F2866B37F618C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:09.793{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1403MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:09.257{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD32AF227660E51339706A10537CDE37,SHA256=E7850D4C022FABD5A9854B9700A6664FAC6D91419D314302684CD3B807377490,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:05.221{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-20534-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001384819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.927{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B15E420D30D50FDDD34CC09F0E0A0B5,SHA256=9E48060DE0855AE8A77EFCA09543FE6843EC565745CD38B692B1090E62F4715B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF37E4E859CB9FC8144B5270ADF65A6D,SHA256=EDD9480B7C6708AC61866067507B49EF44D76ACF688B102B6C06406F8ED4EFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.859{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A40B9B4F362306E2111E6D37EE538CA3,SHA256=F4B1AC66339ED0CF68AFA27CAA735C40A7603ECDD3000FFE9A27CC1A7B38DC01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.812{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE0E-6152-7E28-00000000FD01}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.812{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.812{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DE0E-6152-7E28-00000000FD01}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.812{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE0E-6152-7E28-00000000FD01}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.813{5EBD8912-DE0E-6152-7E28-00000000FD01}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001384809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.138{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE0E-6152-7D28-00000000FD01}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.138{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.138{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.138{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.138{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.138{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DE0E-6152-7D28-00000000FD01}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.138{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE0E-6152-7D28-00000000FD01}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.139{5EBD8912-DE0E-6152-7D28-00000000FD01}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001291249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.382{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69AD730BB4189DF6B041B7C7464306B1,SHA256=81142F95B6EC137CAE831CB50F7A37248311A8D621B1EFF9D750EFC3CE955FB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:06.819{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-26226-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:06.495{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-28537-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:05.738{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-18662-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001291280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.929{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE0F-6152-73A1-00000000FD01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.929{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.929{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.929{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.929{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.929{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.929{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.929{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.929{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.929{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.929{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DE0F-6152-73A1-00000000FD01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.929{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE0F-6152-73A1-00000000FD01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.915{69CF5F33-DE0F-6152-73A1-00000000FD01}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001291267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.867{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54427D73FC2F6B76B6C725B2920DA464,SHA256=6872522DC954CCD6B6ED14DD69F62C7AE4F0ABACF367E36FEE523580FC75B0E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:11.995{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894707D06A8D8C7694AA1895545389FE,SHA256=F603A49A4DCE4230BBE101147EC9C473B311AE859E29CCD43356DB37C5D50F0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:09.802{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-51326-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:11.058{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=679BD5A5154B2910BE1603B996A1260C,SHA256=ADEF3DDDB3AEE53FCB178A6EE7398EED624362AECBE309D168380D1850564E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:11.058{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44DAE093279A10079AEF7D34EF1CBD39,SHA256=E17B398D6B02680A2A5FD4C95E06B60D537314DABBFCAAB27A67B475CACBEE53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:10.996{5EBD8912-DE0E-6152-7E28-00000000FD01}54524508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.601{69CF5F33-DE0F-6152-72A1-00000000FD01}2460976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001291265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.476{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFDAF6799481581E1A48C1316C718F6D,SHA256=A5C4E7D33352F8CEE8200B3795CCEE9ADFEE1EE5D7DD4102876B763665164E9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001291264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.382{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE0F-6152-72A1-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.382{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.382{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.382{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.382{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.382{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.382{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.382{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.382{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.382{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.382{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DE0F-6152-72A1-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.382{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE0F-6152-72A1-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.368{69CF5F33-DE0F-6152-72A1-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001291251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:07.643{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-36645-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001291297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.617{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE10-6152-74A1-00000000FD01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.617{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.617{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.617{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.617{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.617{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.617{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.617{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.617{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.617{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.617{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DE10-6152-74A1-00000000FD01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.617{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE10-6152-74A1-00000000FD01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.602{69CF5F33-DE10-6152-74A1-00000000FD01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001291284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:09.034{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-41310-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:08.754{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-44947-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:07.913{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-33607-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001291281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.179{69CF5F33-DE0F-6152-73A1-00000000FD01}17483544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:12.910{5EBD8912-DE10-6152-7F28-00000000FD01}36805212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:12.741{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE10-6152-7F28-00000000FD01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:12.741{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:12.741{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:12.741{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:12.741{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:12.741{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DE10-6152-7F28-00000000FD01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:12.741{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE10-6152-7F28-00000000FD01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:12.742{5EBD8912-DE10-6152-7F28-00000000FD01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001384825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:11.223{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51457-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001291337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:13.523{69CF5F33-DE11-6152-75A1-00000000FD01}3380852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001291336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.412{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56556-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.389{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56288-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.349{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-55834-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.297{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-55346-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.288{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-50068-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.261{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-49968-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.234{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-55270-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.229{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-49714-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.210{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-55130-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.194{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-49538-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.187{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-54846-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.172{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-49383-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.151{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-54672-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.149{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-49203-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.128{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-54412-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.089{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-54095-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.051{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-53886-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.028{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-53730-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.006{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-53376-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:09.968{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-53189-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:09.944{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52953-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:09.920{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52792-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:09.893{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52454-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:09.546{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61697-false10.0.1.12-8000- 10341000x80000000000000001291312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:13.304{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE11-6152-75A1-00000000FD01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:13.304{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:13.304{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:13.304{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:13.304{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:13.304{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:13.304{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:13.304{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:13.304{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:13.304{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:13.304{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DE11-6152-75A1-00000000FD01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:13.304{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE11-6152-75A1-00000000FD01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:13.290{69CF5F33-DE11-6152-75A1-00000000FD01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001291299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:13.101{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D494C97E63FF287CD76F1206FADFD22C,SHA256=633BB3BBF13BC6789ACA5F6C77DC2F840553E2031BBCA4345199BDC688CEEAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:13.101{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0F21FC697588B3BA613C62EBB0011BA,SHA256=8F5FA1E59858D805594B764239ABEFEE3A00ADCF5E605D6BC57C4D1FB172E833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:13.757{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=679BD5A5154B2910BE1603B996A1260C,SHA256=ADEF3DDDB3AEE53FCB178A6EE7398EED624362AECBE309D168380D1850564E64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:13.426{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE11-6152-8028-00000000FD01}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:13.426{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:13.426{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:13.426{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:13.426{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:13.426{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DE11-6152-8028-00000000FD01}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:13.426{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE11-6152-8028-00000000FD01}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:13.426{5EBD8912-DE11-6152-8028-00000000FD01}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001384835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:13.010{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA777EF2173A32B7457322A0563BE05A,SHA256=BD3536937A78435B494A48DBC534AD51547B8AF6F946F24967A89AA3C3396A54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001291408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.898{69CF5F33-DE12-6152-77A1-00000000FD01}23601052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001291407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.757{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0391167AB785EF8C3567DBAA606995,SHA256=8812A44BB2A7AC4D5954C6EAC48552AEBEB0A7D1746C2ADF505A788E0881BFF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.757{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F528BCDF49D26F476F525891983E7B4B,SHA256=1127F67F3E9576C88E0413E47A90C68817F3FE808BE9FF471A36EB358E215D3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001291405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.697{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE12-6152-77A1-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.697{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.697{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.697{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.697{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.697{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.697{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.697{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.697{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.697{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.697{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DE12-6152-77A1-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.697{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE12-6152-77A1-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.680{69CF5F33-DE12-6152-77A1-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001291392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.661{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-59127-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.637{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-58880-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.614{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-58598-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.590{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-58253-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.559{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-57667-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.556{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-5635-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.485{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-5309-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.462{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-5110-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.439{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4904-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.417{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4629-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.382{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4501-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.359{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4240-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.321{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4033-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.282{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-3893-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.260{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-3763-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.239{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-3515-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.202{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-3324-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.179{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-2965-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.143{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-2753-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.117{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-2452-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.082{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-2262-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.058{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1997-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.023{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1793-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.998{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1587-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.966{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1432-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.944{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1237-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.918{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-1056-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.890{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59667-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.858{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59412-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.802{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59284-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.779{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-59124-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.752{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58912-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.729{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58730-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.706{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58569-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.683{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58333-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.648{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-58034-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.613{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57660-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.563{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57489-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.519{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57289-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.496{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-57066-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.457{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56918-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:10.435{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56742-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001384845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:14.025{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B42F964DA7DA231BCFC7A19A0B0A0D,SHA256=483028734A476632DF46183CE74E4BF5FF50DC4E4B162E0A498D5415A3AF4EDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001291350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.007{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE11-6152-76A1-00000000FD01}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.007{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DE11-6152-76A1-00000000FD01}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.007{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.007{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.007{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.007{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.007{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.007{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.007{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.007{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.007{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.007{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE11-6152-76A1-00000000FD01}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:13.977{69CF5F33-DE11-6152-76A1-00000000FD01}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001291430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:15.898{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6498E2D2E0490E70FFBF3171BFB75DC,SHA256=29EB9B6FEBB255B7F9B0C9DED94D914392F180667E73E7E9E819B8DBA3751F05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.333{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-5041-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.295{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-4892-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.272{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-4733-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.249{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-4511-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.225{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-4118-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.180{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-3690-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.114{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-3491-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.091{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-3170-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.052{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-2930-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.018{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-2725msolap-ptp2false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.988{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-2424-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.945{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-2241-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.915{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-2027-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.889{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-1816-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.858{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-1532-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.820{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-1218-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.781{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-59918-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.743{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-59754-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.720{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-59522-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:11.683{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-59230-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:15.539{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4166B99E74243EC03CD19C393E25BD74,SHA256=1704968F0A86D7D29964EF962126BAD83FEB6C5B60055967C866E3D3EC3CD2B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:15.539{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8CD390E563BF0DB01A46D33BC8DE418,SHA256=DC65F287B1001A1FD23AD4D5FA9AF26506CF70880F354EDEB2A5BB0D450C0145,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:14.319{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-26360-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:15.040{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95308BD7E83C46CB92471F7C27594B5,SHA256=BFD3964EB63028F67A429693D5EFA9927EC1EAE5F88A17AC3CB57D8B05903DBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.799{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-14283-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.762{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-14030-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.739{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-13442-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.554{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-6399-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.520{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-6302-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.497{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-6179-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.475{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-6073directplay8false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.452{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-5914-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.430{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-5742-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.403{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-5502-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:12.371{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-5141-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:16.601{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919B09FCF32FEE4F163E8D37E5AAD11F,SHA256=6DE7CBFD1E65477ABC54ECD179AE1329D6228F7BE1751B9535D32BDDCD147BF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:16.892{5EBD8912-DE14-6152-8128-00000000FD01}56601224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:16.691{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE14-6152-8128-00000000FD01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:16.691{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:16.691{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:16.691{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:16.691{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:16.691{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DE14-6152-8128-00000000FD01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:16.691{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE14-6152-8128-00000000FD01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:16.692{5EBD8912-DE14-6152-8128-00000000FD01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001384852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:16.673{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34A0AF5B5D9C7EA181267DFE43EAB58E,SHA256=078B475EDDEA669FCB798F06FC1816982703FE75219DACB21F2E53087240A84A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:15.473{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-30937-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:14.358{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-26450-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:16.054{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627763854870F57EA4068B245ABEED68,SHA256=CE555135740891AA912F7784275751AAB1C077D1586FAE9B00C4D7F7C6A44EFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.021{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-22686-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:17.601{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE1ABBC43221D744DF544C9A5A58014,SHA256=24F1E459A53D462CDC6854B894C0C9C9907877B32B496B686E5B471EBFDA6FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:17.692{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=590E4482515288753B9B1164964C069F,SHA256=61ADDAF3ACD11623617419A08C9EF3C03A63672D677485950C9016F19AE05985,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:17.524{5EBD8912-DE15-6152-8228-00000000FD01}40402060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:17.355{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE15-6152-8228-00000000FD01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:17.355{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:17.355{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:17.355{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:17.355{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:17.355{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DE15-6152-8228-00000000FD01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:17.355{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE15-6152-8228-00000000FD01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:17.356{5EBD8912-DE15-6152-8228-00000000FD01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001384864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:17.202{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51458-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001384863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:16.569{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-35208-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:17.076{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6E2BC869D892936E3ABBDA056FF6F31,SHA256=0E53262C0356CDB4AF2761C0E75AB827FBBAA8E8DB3A3DB2099D3D7E8163157B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:14.562{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61698-false10.0.1.12-8000- 23542300x80000000000000001291445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:18.614{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0791AA9D45D479C469C8F8EE90E38C3,SHA256=DF5931B7665CED6CE6463F07B373ACD28FBE9CC5C41C3C3AB2001640489E5CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:18.907{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF42E9E0C7E537A8028FE66A4E17E47C,SHA256=8A2EAA5D74E5F9A42EEC366E1613DCAF232F1B474CEEEE9DEA94C622B9975AD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:17.686{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-39569-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:18.123{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C219DA606A9671ED1D78245CDB15310,SHA256=B7A3F91CCEA00970B444AE558E9B0E50E3AC95C30927F76DD97D349D19212855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:19.848{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF83545F106F074C1F12249A578B6B2B,SHA256=A390EB60BD4DCDAA3C61F3CA0F481CAD177B9A8A9002BEEDDFFD22E03FB95B9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:18.811{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-43843-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:19.154{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D328D14C226115E0C1C5162A958E24F2,SHA256=77E3E8DE23C6A98999DA44D57DEE9FAF9C9192D21F7F492C95466A1A6041FCE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:20.942{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B446AFA41B0791995A50D8B0356B3E7,SHA256=E7E93966F7F5F5D344B3E97B080F2268FFB3524D89BDF97023F7B6282A294516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:20.190{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57EA114B11E0AC16A6888E401F007196,SHA256=F4F626E63F053E230620F1A8E9687E774EB3F08598668AE0FF3ED3D0D0F61910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:20.022{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5F82C8404D1C5D8DAB6D0B98AB956D2,SHA256=2F8B9559338CC3D2FE610EF1DE7202879912F28D3CECDC2B6660FE6B6B85EA4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001384887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:20.006{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE18-6152-8328-00000000FD01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:20.006{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:20.006{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:20.006{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:20.006{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001384882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:20.006{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DE18-6152-8328-00000000FD01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001384881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:20.006{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE18-6152-8328-00000000FD01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001384880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:20.007{5EBD8912-DE18-6152-8328-00000000FD01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001291449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:21.958{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5B3587EED9489FB69E1C58977727BF,SHA256=B64D868B9EFBDEBAA5022C34652D70FA7FD3C5A6FF3047E3CA06B2098E743763,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:21.068{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-52389-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:19.937{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-48060-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:21.205{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9D16FD79D837D1BB7E2D63958C00AE,SHA256=CD9D9D6BF9E80086C4A45157768107E29560CFAADA517354375F0C7019279358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:21.174{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C33B487242B91DF03FEF60A42EEFF64A,SHA256=C1752357E4673566D152B63E22B96F6EDCD3C02BC31E8E45D1FA1BB160FE4586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:22.973{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46186E7614506FA768E9E40B2CA15B6B,SHA256=F393A81803858EC6762CFC14F868FB9BDD6F808357D9A4E0106BE59F6995C292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:22.336{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9E5F8F4B20C4A418AD08B2390B5B227,SHA256=8A1AF17319F704DAD58561A05D51C250A5E627618A2C86196B24B9337B3858F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:22.220{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F632B141AFEDA4E1B55F39681E8576,SHA256=7EAE550E14D1495FD9D0C7CF7CB94FC54BF9CAB70C9F00BFFEB4398B028B481C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001291462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:22.489{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE1A-6152-78A1-00000000FD01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:22.489{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:22.489{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:22.489{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:22.489{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:22.489{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:22.489{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:22.489{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:22.489{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:22.489{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:22.489{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DE1A-6152-78A1-00000000FD01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:22.489{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE1A-6152-78A1-00000000FD01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:22.474{69CF5F33-DE1A-6152-78A1-00000000FD01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001384898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:22.203{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56633-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:23.452{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEB82113326C488FE23F5D12F613E4F2,SHA256=DE80C9D9BB11E8AFF7C662F5124EE9024769E8E9114182299AF1F3493A7B20BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:23.251{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76BF8EE99879AE83EBFAA57ACAD015C0,SHA256=AF1F37EB3EEC321DC05F286257719A1462290A9BEEF448A3C4B489051DCBB70B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:23.489{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B213A9BC3DD017953C8050D2589E185,SHA256=514BC4BA1D9B034EA01A363695B0C9875A5DEDAD104751C4109FEBF9986ABB60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:23.489{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86A055CDC56248403302CC6BE1066ECC,SHA256=A9ECD2C11A51557E5FA3F16AE0E1CFB088F1C150214EFF449EF7712B8DCBBCF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:24.739{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B213A9BC3DD017953C8050D2589E185,SHA256=514BC4BA1D9B034EA01A363695B0C9875A5DEDAD104751C4109FEBF9986ABB60,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:20.543{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61699-false10.0.1.12-8000- 23542300x80000000000000001291466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:24.192{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7814489473FF867197D8B28AA9EDC9C,SHA256=F211B9240EC4069C225F625FD2AB4788F4E513B7DF0FB529356648BFBA1DE689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:24.688{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C46AA709B70399B5B47C999BD0EDD44,SHA256=970DBB8F6B5BD9D7178C52998AA50C3FE34561EE49490F7AAE0E58C67C48E866,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:23.367{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-1966-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:23.247{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51459-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:24.270{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31081449609BF11C1049015D21F5161C,SHA256=E58A68040B8FB4D94DD2EFC44B505790EDEADCF037C72F32121A1A0B3B164B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:25.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD80D800B9D3C512520D1160EA30B450,SHA256=046D29F77E12E2AF421495E7D3084E91F6796F6A8B5B798EC65435D2346B2BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:25.426{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59CA33DB1AEA8A78E27CEDD5B0696C3,SHA256=019D1AE998122E0878EA95EB776BED87D6C2E6B3D06CBD6715EE16DCE6CC33B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:25.819{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AE9317B93EE8FAFE289445974225920,SHA256=AD847DC84F6405A6EB9F13D77F357275C3FC646154CFB4B24134953ED6B5A8DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:24.523{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-6120-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:25.273{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA943035F1AD056D9836E73410508B74,SHA256=9C0E8AD77EBDF294B57A672E01207FC53C6B3E5736E861575295B0C946672605,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:22.021{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-38621-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:21.997{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-38268-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:26.442{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52DA45B36F342133DCF3A39BD1AF8D26,SHA256=50DF99FED2CB8DC65E2008A26549F0444FFEFC070A6816DE1573E2EBF57773AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:23.123{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-46185-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001384908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:26.902{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB558755C5D2BDE4EC6C9BCF1AD5F6F3,SHA256=B6DF34D444CB7C818E0FC82CC2BC4D9B666C4FE6A9E96BF773470EA3BCF9952D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:25.704{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10712-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:26.319{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F06BF22A58963105E4BED093BFFFB8,SHA256=0DD430A3F64C832249BB3234052B9955A677B4B3ADFABE6F948E96D84B9B49F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:24.261{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-54278-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:27.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A0BFF0208AF55F3ACE1AE53178731A,SHA256=FF3AD7230CFB2051CC4218A25BFC198D96DD938C61E4ADB6F085D23B61E3A4CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:26.806{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-14748-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:27.349{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D576B5F413C77C281CEE0F539E3A9E15,SHA256=B2CD5774FB7F53A90578146661A529AD14C40291EEC1FA526F10EC945C4C0425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:27.004{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03693D4FBA38821BE93FFE44FDDA1A83,SHA256=899E14E072E59497FD1F2FD1E42C7F13451054C76E27D390433D7F50963428EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:25.377{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-3197-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:28.536{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0D42F98BBC45798C1A46AF2121DCE31,SHA256=5AABCEA01F9B33A7C16434EC86423BC797477289421E197D57F835D26C6C486B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:27.921{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-18901-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:28.368{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2E62685279A6E0EC057C500F94B702,SHA256=0387B08C264B11B5372FE450BCDB3443776EC0583D5EF9111030BE8224112AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:28.083{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=396B215D9114E8C637BF7ED261DD3BDA,SHA256=C29A5619362083AC2D2CAA5401037F44A8E7CBC86483C9E833EE6C672485ED4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:28.087{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C11FAE38FA704174786DA974501FD1C,SHA256=77C18FC5EDD1776D6F8D05A6D8EDE02EF345DB0BBA8CAF8C53742A65707696A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:26.467{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-10875-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:25.559{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61700-false10.0.1.12-8000- 23542300x80000000000000001291482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:29.551{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82292CACC52C9BB0EC9123BBD8FFB2D1,SHA256=4343DD4361B194ED92EF99541899E77BF79245A0341BE1028594213BCBDE78A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:29.200{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-10621-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:29.173{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-10403-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:29.104{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-23336-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:28.998{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51460-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:29.385{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5360B57FA77529E314FB87DA01EF345,SHA256=695FDBA3AF56DBF1223D28516DCA40B1B55EC31D698D722BD0138CC7E48A89EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:29.192{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEF32DCEC4205257E587B8209ED34B5A,SHA256=3AAFA333AFE495EAD25723E4BD863CC211008254E3773A33740F1DF90BA171B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:29.167{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C8E462DCEF81C655D5BD3CF38F7F3C1,SHA256=996382A4F2AA6B9C884A7C7E0FA96202B30A0847B04E05EFAF646792F26778C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:27.594{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-18887-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:30.551{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF5F46C8063BC26C8F1FCB14763945A,SHA256=FD7CB854D1F5B0CCC59663ED8BD6419E1D062196A555E0B339EB689BCB43317C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:30.666{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local51461-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x80000000000000001384924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:30.662{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62721- 354300x80000000000000001384923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:30.308{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-17940-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:30.194{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-27398-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:30.401{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FA7908C514DD6416FBE4A7272C7DD5,SHA256=1E60D9D0C3878996A6A9B64778FCE0455C43D9F7375FFD68D93DA1B0C6D3F451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:30.333{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DFE534022DFC88B41D8FEA810F3D23A,SHA256=0B6F07865D94FF371D9472C4A4AD11F9938743CEDF2C0901E10D0C1AFBDF2B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:30.285{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7933C18FC3DEEF8A31D27A10DB7E7518,SHA256=A7FC69584A3AE209E78C20F2F0AD7E7C8D7AD4F94622636827B2A74845B22814,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:31.502{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-26382-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:31.302{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-31488-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:31.431{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEA32167DFC6ACBA31F2A1DCB0388C6F,SHA256=37B5CBF457F500E3593F2424724C6908B1607EF230A6274FF8F24E750F57FCA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:31.415{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59CA779A489F892268FCB06E0EFFCDBE,SHA256=2F7AEFB841A69E7B610CF4D7451F8320A72A819678913AB19D80E49C38F16340,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:28.713{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-26868-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:31.614{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEE4C2D85E0AD59225C6FDA13F7F2A5,SHA256=C2CF22FB6FAC25145C0432E578B1F07EF1125AA1D93006A1160E720A7F77A29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:31.426{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF1722C312F3A5EE6E107AA644673749,SHA256=8BAC80513E1FD4AFB9165847F4F4F8A2A73AD596D0D29343592CCF0A98D790C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:32.676{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12AD4D8393C88CB8F39856D9AC92C4BE,SHA256=3300E87B11AAC8FCC6687D381BE9E494B0689DE8E87E460FB93F0D68F1301DA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:32.617{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-33931-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:32.447{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-35532-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:32.515{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADE75D812A6BCC8EB23A976AD44BD1AB,SHA256=A2DAD811B6D8046C20F191303DF87D9AF53DB4AB1F6AC10B514F024CC3549FFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:32.484{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB070215D23EACC722B4B3468B27FC75,SHA256=7B63F71B6CCC1F65E533AF7DBEF19F93327CA373C52976F57B873D4DAD5E8971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:32.504{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8703103F7E472FDC2B4F89E0447150FD,SHA256=FDB20D4915547CD7F874CF4087961F40B7340DC39EC2F02BA567A27DCA5AF096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:33.895{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2944C1E973427237DC742A413276061,SHA256=3899044992504FD695B675D50C6A970BFE7A28D39B33667043A3E8AF9CDD3955,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:33.563{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-39661-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:33.665{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CA35FB9CD2D333AB44371DB64B7BDD5,SHA256=11D5744CDED356D861671AAC13CA972E50F974BACAD5F2EFB7FF19824BC4AB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:33.515{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35783D0F7D329EFE447A09ADF96AA82,SHA256=56CC622CB970374C8D27E6FC11C89BE8BDE8C18A38277DE4B6F23AE61269E4CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:30.898{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-42018-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:29.798{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-34080-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:33.661{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90B28A6358F03283F8E920B1B3F4550D,SHA256=F160ADFDD1035B9DB7F33B84A50982CEF9D506BE04C82593F20926A0A8ED2D80,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:34.679{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-43748-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:34.195{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51462-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001384939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:33.889{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-42550-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:34.745{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36E5F905109E276859BDEE27E8A831FC,SHA256=8599AFC855B6716955D6BA2040413C1758569AD16330949CB889478349C05176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:34.545{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981ECD23C4CDFDCF850F36FAA49C1C2D,SHA256=5A26FF34FB7AB7BAE550EFDE25255CBABD3649BEB5F0AC6047ADEB5F92FFFFA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:34.973{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=284D51B1B0F904D7C48FB36C72923E9F,SHA256=8C1D9D79C4FD14379C4D9AC05A46619EB608BE280CD576DA02DE6ED3EB57C5A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:31.544{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61701-false10.0.1.12-8000- 354300x80000000000000001384944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:35.044{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-50123-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:35.828{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03E306F7EFA55132FED4A945F208D1A4,SHA256=E1E231E07C79C7E6C9422497E29860DEB5C76CEBBE11C9FBBA58303F4918D0E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:35.582{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68BC447C1D9DCBDD607955F665B5A05,SHA256=A209958ADE14335EF617ABCD0643EB7046954CB2F76642E78E2984DA37D3ED28,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:32.183{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-50284-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:35.004{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46F9FC92FA9DA7AAF9EFC4E91AC5C8A,SHA256=7C69ED5C40469D0C5E5586EA0FB9464264F5E2A391C56867B03526F4C7E58095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:36.912{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0C68397D37E4CB93704E93130E60038,SHA256=E2D96F650CA8E825DD0889A96BEF4C1EF781BFC1145997A1503188B0FE50F195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:36.596{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B60DA46CBC8A62912C86244366A51E,SHA256=E94D03FFC21FCFEEC8F90F93958D14B207FA478BF70D6B0AC9C07E53E141A630,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:33.400{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-58824-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:36.161{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1497A91C9B2D1C4BEB1B68E6B54EE523,SHA256=8C7B8AF4A842421D2322A4B87902E2D5869938BE7B41DED707DB49A57F4CCEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:36.067{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2844E7EBD7EB7377CD2376BF8EC3B514,SHA256=FA89E33554B8550D508E2BE3481ED502139F39BD4E3F6EB1797658780455B956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:37.995{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CD7D0B28DFA8C16FF46A7FC4A1CB63A,SHA256=8F664781AD9370E68F61CF05A04BF94035B91182CBB863F4D743E584F3EDBAAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:37.611{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B044A1991E237AD8F05322C7E2153099,SHA256=3ED7E1BC326758D0E648B36EC725F09991D1BE76E70A0841A387A65AC3804624,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:34.533{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-8090-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:34.498{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-32472-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:34.475{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-32366-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:37.239{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FD346B1EFA3389E8DB88CAD3F77EFA5,SHA256=A3B6D4ED4F9CA28A3A974C881ED551602C185B5796D83C827EA24869A28467BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:37.083{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2351E1E6579B4204866A981463761BA,SHA256=19327DA3EB267E713D6DA19CED00E0BDAE3924EFFF9336BD4E334E9D79753971,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:36.148{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-58247-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:35.761{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-47651-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:38.641{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4DC04FE4F7CCEEAC5C9DC0B2F905DD,SHA256=BBB8F719BF632DAA35C9407CB8AF590EF4D40E7DF6347C9D3F2C90CA0643D0DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:38.476{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD13168415F7562E928FC1ECDFF516C3,SHA256=3073AE189CDA407D2D448308B47AE6C00CFE0084B8683AC13689BCA4959F7C87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:38.085{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED060765BC8A9349DBFD89A6BA8AB9C7,SHA256=7A24F9A3D54BA5E913137E875BCE410F7806AC30D654B9D71607F66CEB862E16,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:37.357{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-6045-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:36.845{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-51426-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:39.678{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3946D59B59187565948DB72F3858289E,SHA256=8DF7CB8E4939A040D2A0B26E0D93B147DC8151843B6BE4F46E26B9B7C1140E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:39.585{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE98909BBCACB05A2682EEACFE31E211,SHA256=3F7F8BB35AA0625DE2AD1CEB6BBA5D7ED1F29239F5340718372E0AB91BFFA0CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:35.663{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-37836-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:35.616{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-15893-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:39.101{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24079621A47EA1DE20AC9FC61EF2F167,SHA256=99232A4A5FF92AD3AF98102731BD643B0DF47BE26D4775426750F6F4DC8BBF17,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:38.459{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-14147-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:37.928{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-55355-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:39.078{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC54D613A39D86C9FBC8F43A1B458644,SHA256=2AB988FA45869B2C1D1526DECFAB9D061BD36FA3554DDFCDF4CC5901018F2D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:40.739{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7214C3AC988F7DF89612A71DB6B09DAF,SHA256=6938B9EBA92FFDD033B95EABD002CFF73309E94343F87DADBA9CEB4430E8FC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.663{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8A82CB75C51963D7D982A0AA7D5140B,SHA256=23E0C6FEBC90BD46DAE9308F742BC3DD14732C09FDA1BA346DBFA88F4F6399AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.319{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A91792BEFCD448A6E3119BA613F1C43,SHA256=206505DE08729DB9B81B90AFF8C5649F513F1D40F633EF6FFF35AC8C395754A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:39.011{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-59240-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:40.159{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CCE4B70E22833AD5185971FDD23C197,SHA256=1FEA8518621697D7A085E7E61C8BCA85412DDC167F7C060E48E5120F6F832EC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:36.972{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-44445-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:36.865{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-24551-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.788{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C18A9FFADF9589209337BCEADE1676D9,SHA256=E7FCD908577B56F1BB98D47D2CBD5C369DB2259721075FA4CB0DE17E804E2F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.491{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4223BF55D01FE9E68A70D14EB95FF6,SHA256=03D0484D489D314EC99560A51EB388A699BB84DBA98020E504446564132376B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:41.856{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:41.855{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=E57D5FC5F7DAAEC5F8E6B9CCD60972E9,SHA256=F6C74EBFE1D0939458F55A974E6A725237F507EC8F87DD1231C63DCF6F3890E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:41.760{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C31B85C4BDC06DA6280985F5A241D2,SHA256=1AF1DF0319D0F427B3102D45BFC3CCBD54B9B33E577FD1CCB930D3BAF0357342,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:40.672{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-29948-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:40.094{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-4126-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:39.548{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-21769-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:39.222{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51463-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001384961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:41.239{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1129F4F74403831887FCDDB686B9BDF,SHA256=1E700D0F3925720891BDCED9D2CB00AA061836E7B28AF9038D61C91DBCD7917E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:37.956{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-32086-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:37.562{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61702-false10.0.1.12-8000- 23542300x80000000000000001384972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:42.774{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A073684DC87A339A6DC1704DA99284E4,SHA256=5664145AF13E164E4DA07500751EADECF93E3712620982A7292107872F1CF6D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.882{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DD000027C872242F1DE38206E14742A,SHA256=8F3C6329D437DD601CD71417EC99F0D47D9344D03D6EE48CAA0C8D4C1482EBED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.491{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8747B8141634D495459C2808C8589B01,SHA256=BA91DEA782BDCDC872DEAEDC388B61071E0DEDE685FC1D8769FBC51DDA19751C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:39.392{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-56300-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:39.351{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-56202-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:39.051{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-39732-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:38.065{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-49873-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x80000000000000001291523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:19:42.319{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b449-0xf85d5b8a) 23542300x80000000000000001384971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:42.375{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2012B2D0F20CA24F0CAEA3D0D9A72EF3,SHA256=A33F47E226C96F57267187979347BF5F0C2E8E2D41E353ECC8AE83EED45129F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:41.794{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-37669-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:41.172{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-7894-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:43.805{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C000F239470E6FA8D6D06CB86EF9A4,SHA256=5E77322D6757FA94E3E171DD770C26D23DC868F443C8C9F99A821059964FFB5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:43.632{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B06ECAD312DD9EA5083BB8E9D759CC45,SHA256=A0B3E4FC74B4BC4EDF9AA5219DF71E2A33B763917EAF12D76EA576E87ED7ADE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:43.505{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6D6D2A9B0F2913328E763FAF3377FEB,SHA256=1E7D058E37716AE5B73781E9742D163F17644B547F79CA0DCD02E4FFA6EDA3DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:42.884{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-45298-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:42.270{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11640-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001291556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.518{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-50291-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.496{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-50122-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.473{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-49904-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.434{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-49724-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.412{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-49541-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.389{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-49344-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.366{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-49043-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.322{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-48643-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.270{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-48474-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.240{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-47934-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.160{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-47727-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.103{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-59507-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.071{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-59404-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.033{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-59175-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.009{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-58942-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:39.972{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-58833-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:39.951{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-58524-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:39.914{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-58355-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:39.891{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-58184-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:39.869{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-57955-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:39.841{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-57812-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:39.811{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-57682-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:39.789{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-57607-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:39.768{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-57543-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:39.746{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-57494-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:39.724{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-57450-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:39.696{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-57326-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:44.882{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00123BA55259D02DF70899B1BF40DF70,SHA256=60E704063D0386F804F305A8D0BEE7937FC239F7B9E9ACB90BA87CC8CA0AE6CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:44.820{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8032264E381A534D793674AD3DF211F5,SHA256=B487383463761C9B948A0ECF873A28C466E09B6B49156294D52FB4A6BB30879B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:44.589{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9935EDEEB5F72FEFAC425933C9F75A6F,SHA256=98E167845E3E69028F86FE96EDC4C4F8E798703B9F80C0F9D1ECE59DAC743FB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:43.071{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51464-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001384977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:43.071{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51464-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001291593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.558{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-7032-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.521{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-6997-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.499{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-6945-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.477{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-6783-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.454{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-6619-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.352{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-56200-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.331{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-56063-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.308{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-55902-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.286{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-55743-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.264{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-55577-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.242{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-55448-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.220{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-55156-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.182{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-54887-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.144{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-54750-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.121{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-54546-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.084{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-54287-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.050{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-54002-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.014{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-53721-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.984{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-53387-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.944{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-53260-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.909{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-53010-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.870{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-52848-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.848{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-52703-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.824{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-52493-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.802{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-52226-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.767{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-52039-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.745{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-51788-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.710{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-51621-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.685{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-51474-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.662{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-51306-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.640{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-51027-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.603{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-50849-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.579{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-50610-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:40.541{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-50444-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:44.335{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6D23948CFD04E9FAE7E809FA3B8E330E,SHA256=7DB7146721A5F373821EB1C9F2DEAE8344595702C113DC639EF559C3DF6B6DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:44.054{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C044F9B613CCD9750AAF4BB41F0F4638,SHA256=E9B5FEA3E2906FC11C022B0B28376DEBD148D442E79373A9CB2370584311D9C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:45.835{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5551C1A79EE47F7E1EB3B38608AB4FC,SHA256=DC27AC7F56A949B512D598266B4B59B36F375EAE129A9F2E68A1C97BCABF9D71,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.645{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-12670-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.623{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-12490-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.605{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-6047-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.589{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-12392-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.567{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-12274-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.558{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-5971-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.545{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-11915-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.536{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-5789-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.511{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-5640-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.504{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-11778-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.489{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-5462-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.482{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-11574-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.466{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-5159-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.425{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-4959-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.422{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-11481-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.386{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-11438-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.353{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-11359-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.314{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-11262-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.290{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-11170-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.269{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-10971-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.232{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-10871-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.209{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-10611-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.173{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-10496-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.151{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-10370-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.129{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-10157-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.075{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-9648-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.969{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-9365-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.926{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-9262-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.898{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-9104-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.834{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-8743-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.712{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-8122-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.674{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-7970-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.651{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-7765-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.629{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-7513-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:41.595{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-7220-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:45.350{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BA0BDB8D2B7DF1AFE3E9089887D3E17,SHA256=99BA5CBDBC92A7A5C7F16B172055D69C0B45763F85697E6171E96C3B7C22CCB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:45.672{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5387AEC8662D5708CBDED1534368778F,SHA256=246164BD7495227EE7EF7C1D134C2ED4EE6957FD60CF691DF8F5CC4A5986FB3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:44.093{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-53469-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:43.406{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-15610-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:46.854{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7406146C193E697470F7F56B97D603,SHA256=BDA8FC57C04BB3D82DF70B57B5004201F433EB06F4FF6979832FD52C036107D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:43.176{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-15463-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:43.154{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-15228-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:43.118{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-15010-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:43.081{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14841-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:43.045{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14740-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:43.022{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14637-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:43.000{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14545-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.979{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14456-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.957{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14355-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.934{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14245-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.912{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14160-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.890{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14070-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.868{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-13872-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.832{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-13628-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.786{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-13499-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.764{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-13281-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.728{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-13036-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.692{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-12897-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:42.668{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-12785-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:46.132{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F3F309A70F74A80C8D6303903F5563,SHA256=DE6810D83DD889EE3DC9C8185A6AA263BEA4B0FA1AF83554B29ECFB68EF816A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:46.753{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=160559919004AF61BC61EC1DBCACF727,SHA256=5CC45F6984054A010135988AE9FAFD9295DC606C0EDA99A05326BD1C312730EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:45.606{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-23460-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:45.246{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51465-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001384986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:45.206{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-2491-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:44.522{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-19595-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001384994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:47.872{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA77BDCF0938997DB610B39596DE13F,SHA256=0CC2E75531D2F43ED33E95876C3566442629534E70ACE0E8F09539D3A707E637,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:43.788{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-14344-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:43.746{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-14173-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:43.723{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-13999-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:43.514{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61703-false10.0.1.12-8000- 23542300x80000000000000001291652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:47.366{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E884FB16671245CC6FD3BBA43D1FBF,SHA256=9AFB4294337CEAFE288749D742D4F3BBDB77C407EE6662BC67A41DB7A6B3D2F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:47.856{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CFD063E50E519E61E8C8E0C2AB57763,SHA256=BDC330019E659338114442862C90C6BED7CD9DEB492A576DF0D9BA9197C86471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:47.719{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:46.335{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-9724-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001291651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:47.210{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:45.546{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61704-false10.0.1.12-8089- 23542300x80000000000000001291657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:48.585{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=327EFE01E316928325AF65A547306C5B,SHA256=14B43275659791048F10B704187D42B3038F798C37D9FF5F5BFE6A3680C817AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:48.934{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21902B5BB92FA32720360D0327036F61,SHA256=9BDDD71C387C2E41BFF143220A0B0CF9DE0ED2B8BCC62CEC9E0EBA74FCCE70EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001384996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:48.903{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C1509A512210C59F9C720C4E4B78F2,SHA256=13F192A8AB8EE2C71A42643039477D6A0A791C2CE6224AF371E31209EDA7BCA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001384995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:46.689{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-27202-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:49.952{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4266F03F8B2018FCB38CC22C2D78CD,SHA256=F9C0BDF4ADEA17641B30E83157E9B9545434F8AED89EA471A547E8782D3605DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:49.600{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=288B07661B2825C41FD6076CB1FD8839,SHA256=2A8DA80223D1417557579EE5E41E0D67D5E563FA39D57AFBF88337C9F6D8EB2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:48.699{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51466-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001384999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:47.785{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-30822-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001384998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:47.535{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-18318-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001291660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:50.679{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D52392526C782197C5B76833B5A0706,SHA256=F39C693F7217473408CE2A947CF635F827D414A13C125D9449BC2A936655E729,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:49.988{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-34507-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:49.951{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-38284-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:48.869{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-34449-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:48.852{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-26503-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:50.017{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7DAB33E41B2B2C80F5FAF5050E88F69,SHA256=A5BAAE6E8A422841728F1AB3736A4CA020FBC2D46D1F55C675CA3211A16A71CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:51.819{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E26CAA19A4DCC447C7F15AE43B5D72B,SHA256=C30CA533BAF09F9224898A1334017AFE3A7A4AD1FD7B2F3D8E1869D647FFF504,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:51.033{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-41925-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:51.100{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67AC8C49D94BF6A1C28A6AF7F97034C0,SHA256=C064E941765EA6F4EA7875DA58EE10552E0FAB68C4A4489D3CC35F7A6C781D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:51.000{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27664FA899F977C78087EEFFDAAB8A3,SHA256=18413801522662627368DCB644BE1424C889776AE380A022877AE4ADCD936FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:52.835{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28CD8158A3CBE339E4783F55CDE1C657,SHA256=FFB99A8DF5DCF4686CC28E908C04B435C1A72370DC9E4F13939DEC86E7BED358,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:52.117{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-45601-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:51.276{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-42981-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:51.181{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51467-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:52.184{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC1030C48039957717E8E152D2CFE284,SHA256=E9F282CDB27A740BCE4C7653ED6EA02BB56698F2823DE795E5B6675AC06416A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:52.031{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46735464E81E3EE416DF7F92D4125EC1,SHA256=B4A855FF9F814BD0479AB89246F96198F369C9F71707EA47E3B2E8E81E7D549F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:49.499{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61705-false10.0.1.12-8000- 23542300x80000000000000001291663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:53.835{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7851A033AFDEA43D6ABCFB5F51CA4F5E,SHA256=D160BC953AEF62CC210FC586B20600E1813C86F33CB2927872EB6D4EEC710395,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:53.200{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-49329-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:52.364{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-50221-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:53.267{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0250A63AF5C6E18A26B5FF7C723A3BC0,SHA256=C6EDB28129D4ACDA6C299AAC71DF4DE007ED9D258E90BED85AE4D80074DE6182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:53.067{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789674F1735538C72FB19AAD8C0147F5,SHA256=7217A012A36F5DE5FED4F7D74F364D64CED848F320041814803859C7D97385DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:54.850{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440DE39DCC692F087FB923B71279F2AF,SHA256=38F4931FE8AF83797C747D0A3C4765B2218943667CFE86716AF3606EC232B022,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:53.524{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-57595-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:54.348{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECD04867D5EA70E850FE97FBE906BEA8,SHA256=0B72EAC394D69AAB53E5071576C52DE22779676B43EBA2CB45A2F9306835511C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:54.082{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4191FD2797DBA3DAF981F0B757A467AB,SHA256=19B69BB4202D48C13BC03A9CC3390ACE53227FD639F50746073A6386DC23DFDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:55.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED4E825115F2865B44E0C8D01E257FD3,SHA256=A6CF741E17B3CBFFC5BDC442DB49CBD17BE709FBA9BCC549B9BC61A366E7BD39,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:54.735{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-6450-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:54.283{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-53034-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:55.465{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0BCEE7563A2265323F277D50934ED57,SHA256=AB4BBA518D3935CA4E0A5F1EE40CBB1436BB1E5CADD1DF2634FD341DFE1EC401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:55.128{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B72E2C3573476B5A37C732FF92FDD8,SHA256=64AB7B1CEFFBFBD662E1C66BCC49B6B0255DA9902E1185A758ED33454AE626F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:56.866{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0FD8EEB27B2A7F50E23FD41CFCCFA8E,SHA256=B6B9B3AE1C5980B9B26468287C9DCEF9B6C38B44469581133B9123251019ADE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:56.627{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3414AF6E9197FD1E2F24B4638250EB18,SHA256=61EE1352E8D7FF5BA02546580925B82EAF0F13A1E7C531084FD2071AE863C0AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:55.925{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-14447-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:55.361{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56597-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:56.146{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED24D7B6E3431F8DD57FA0311DD10F0,SHA256=6FE74CEF5320FA1A4B8CBF0ACF9DDBCD96137E66BCEFA38F49C0295107237A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:56.304{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=513B683E20DFF0FF8F01F12BF20B67D1,SHA256=2758FB914C85DB5D935AFA2B58520CE2FC4F7140FEF1DDE82FF2D2D29CAC56D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:56.304{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6496DEB141DB4A92EB71FCF941D61F90,SHA256=D3B1753C1624D902A628D01E4CC6C16636CE96E652E7705DEABE25ECCCDAFE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:57.866{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A7F04234539354396BD6EC7F7610CE,SHA256=AF08E705727C8071DE25099900A252465B8FB19A26210AB4372F172A3038A2E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:57.747{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15D24D1BB3ECF992B76F30084359DE7A,SHA256=05DEB4254A48864676992004E96CD478EC00720B8275A0DAF43A17947526E2FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:56.460{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-1294-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:57.163{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150F52945552A6EAFEDD7460BB06E1BD,SHA256=3FDCBC909315E70EE60BFB19DF68FBF2DB7B0B502C52587987CFF93CE2A19B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:57.460{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=513B683E20DFF0FF8F01F12BF20B67D1,SHA256=2758FB914C85DB5D935AFA2B58520CE2FC4F7140FEF1DDE82FF2D2D29CAC56D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:53.555{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-59195-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:53.530{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-58630-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:58.876{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2ACF8405CB852360DB2863059C0FF86,SHA256=82ACD9870650B2FB473C949B485B8245E0C23EF6FA0FA8C96D04E6B0BC8FC66A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:58.844{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB1DD5D163C910FFEA7564B2863A6DE0,SHA256=D5543EE467B58C33E2E61E51AB88EBFE8F2F9CA4289C5CEBB50765775685ABA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:57.658{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-5261-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:57.076{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51468-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001385035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:57.029{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-22407-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001385034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:58.294{5EBD8912-8CBD-6151-0B00-00000000FD01}640584C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001385033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:58.194{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773F62AB0B1B2BDBF645C4AF8B041DB3,SHA256=AAAF14EE0D1D76AA455390797220B6F06444D9E28F2314971C7C3A92FD95A685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:58.563{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31C994D951B2CADBBEE198CDF0B20678,SHA256=67E7A21C431634E6DC9379339F88B6C23023D39B968DF5535C9016E874ADB6B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:54.718{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5800-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:59.892{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D64EA889ECBB63BBCE9B9E1971E78BDD,SHA256=C73DB23440D59E16CE0733F34E3A105BF17EE9565493137F41DC2B024F929735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:59.892{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E24294D558EADFC3BDEDD7D79861D9C,SHA256=F7B52E9BCBA4334FF6A06D74437A2EA91A574FC1714465BFE8676B2847905FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:59.924{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A79E86C7194F3C2B979A25D3E26257C5,SHA256=D9D0CE3CE0F164BC3D127BB3598A526A49066E11D1B6BF8FED0746239E9B8454,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:59.746{5EBD8912-8CC0-6151-1600-00000000FD01}12966272C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:59.745{5EBD8912-8CC0-6151-1600-00000000FD01}12966272C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001385044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:59.290{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51469-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001385043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:59.290{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local51469-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001385042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:59.211{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-37575-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:58.779{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-8935-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:58.112{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-30326-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:59.208{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BFC04987B52475019235D0F454C2BD,SHA256=819472DA97BDC359915B34A94A4891FC77C1437E91B7CEC11CB4E564D969C276,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:55.848{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12138-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:55.514{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61706-false10.0.1.12-8000- 13241300x80000000000000001385060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:00.760{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001385059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:00.760{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001385058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:00.760{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001385057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:00.760{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseTerminatesTimeDWORD (0x6152ec50) 13241300x80000000000000001385056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:00.760{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T2DWORD (0x6152ea8e) 13241300x80000000000000001385055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:00.760{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T1DWORD (0x6152e548) 13241300x80000000000000001385054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:00.760{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseObtainedTimeDWORD (0x6152de40) 13241300x80000000000000001385053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:00.760{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseDWORD (0x00000e10) 13241300x80000000000000001385052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:00.760{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpServer10.0.1.1 13241300x80000000000000001385051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:00.760{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001385050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:00.760{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpIPAddress10.0.1.14 13241300x80000000000000001385049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:00.760{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpInterfaceOptionsBinary Data 23542300x80000000000000001385048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:00.223{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615B4853499793B24D65F6B4DF994410,SHA256=967FDAA79FBCABBFD66C5C4F282E47E23EF3A48244D9BBA6D3CC05173E105555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:00.985{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=008D0BD4C765EF31FD85D6C164A6CF4C,SHA256=2EDE61EF79CD19C5BDBEED6F326A8C49BB87647FD52C67BC56A05EB573637CCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:56.949{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-17779-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001385066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:01.188{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50183- 354300x80000000000000001385065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:00.939{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-16152-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:00.367{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-45648-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:19:59.856{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-12625-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:01.244{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0755B7BF2AEC330993E7B8EBC4265BDD,SHA256=0C0205B79F39D56BD741D35CF14B39044550DA0C67F184B1FCDB7B0133DD9D10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:58.270{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-24517-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:01.032{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60625C8E9407D26AD8EDDC2F37210A65,SHA256=CAC87873F5BA1EF606D8EF3AB049DBDBD527C6F6128833FBF1499F095BCB8A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:01.007{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3A2361035D93C487AF52D0ADB9D125D,SHA256=EDD4C9CEE667BA18EAF343361C19586A49DEB2963BCC01B35E7B18D22E07FC0B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001385084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:02.790{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001385083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:02.790{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001385082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:02.790{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001385081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:02.790{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\FlagsDWORD (0x00000002) 13241300x80000000000000001385080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:02.790{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\TtlDWORD (0x000004b0) 13241300x80000000000000001385079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:02.790{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentPriUpdateToIpBinary Data 13241300x80000000000000001385078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:02.790{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentUpdateToIpBinary Data 13241300x80000000000000001385077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:02.790{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\DnsServersBinary Data 13241300x80000000000000001385076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:02.790{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\HostAddrsBinary Data 13241300x80000000000000001385075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:02.790{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\PrimaryDomainNameattackrange.local 13241300x80000000000000001385074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:02.790{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\AdapterDomainName(Empty) 13241300x80000000000000001385073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:02.790{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\Hostnamewin-dc-429 10341000x80000000000000001385072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:02.790{5EBD8912-8CBD-6151-0B00-00000000FD01}640584C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000001385071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:02.790{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 354300x80000000000000001385070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:01.756{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 354300x80000000000000001385069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:01.577{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-53912-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:02.259{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3B6759DE5EFF38624B6E43E6B98992,SHA256=FB819B2625A02D62F0F5B319CFAE004508FA1332A0FC1DF68538775E314EE7A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:02.110{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=203D55A906E51C675FD5FA4183D9B3C5,SHA256=8672CDA6226727B43D009F8BCEA322483576AE72A4D5949693AFF5DE805BB42D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:02.064{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF64409EAC599F6E4082425B78F54ECA,SHA256=F3CC9EB3AC6E6511BDB8B7E453E9B32C7F1DB44A2A502CFF4E15C2BB68A76CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:02.090{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EE173E313B11CC860D94A6DBD18363E,SHA256=596616E1F8209F5CAED1AC454DCED119D172BD1661B415BB60D87A35657CC83E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:19:59.372{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-30515-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:03.235{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39B4C4A54362247D5F338667EED357C,SHA256=5DACE3F9943C6C18DCEEB66BEBFCC01C5253092EB24CB6E3EB675D44528F01DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.795{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58992-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001385109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.795{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58992-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001385108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.793{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local61538- 354300x80000000000000001385107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.792{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local58991-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001385106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.792{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local58991-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001385105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.790{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local52196- 354300x80000000000000001385104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.789{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local52196-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001385103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.788{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51844- 354300x80000000000000001385102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.107{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-23163-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:02.677{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-2368-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:02.176{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local51470-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001385099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:02.023{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-19464-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:01.761{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:f8c0:7e28:8c9e:ffff-61561-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001385097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:01.761{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61561-trueff02:0:0:0:0:0:1:3-5355llmnr 13241300x80000000000000001385096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001385095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0526f988) 13241300x80000000000000001385094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b441-0xa2e089d0) 13241300x80000000000000001385093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b44a-0x04a4f1d0) 13241300x80000000000000001385092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b452-0x666959d0) 13241300x80000000000000001385091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001385090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0526f988) 13241300x80000000000000001385089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b441-0xa2e089d0) 13241300x80000000000000001385088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b44a-0x04a4f1d0) 13241300x80000000000000001385087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:20:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b452-0x666959d0) 23542300x80000000000000001385086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.274{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC2B9801CCF3A64B59C640BE3757609,SHA256=E44525B63DEF883231485F6D2597E5180ED151EB3BAA1FFF1CE441F200E41CC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.174{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DAB782290CCC18CACC4A05555CE90C4,SHA256=4462AFE45C8335922C9C3D70CB1CD2AB5581551BEEB701F3E33D0249EB2F756B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:03.204{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DF37B515DAD89B6B226D49FEA08FEB8,SHA256=9298BA646BDCA788DFC49CEB124CE67A93DEFC77BB25F1DD87ACE10F24C63069,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:01.462{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61707-false10.0.1.12-8000- 354300x80000000000000001291692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:00.498{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-36332-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:04.470{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858EBE4B6DE33339A321D0CAFA521444,SHA256=F21F647F1F4985503B80C46AB0E638B5B2CE2122DAD2054ECEDB32F82C281874,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.943{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-11038-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.800{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local63577-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001385118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.800{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local63577- 354300x80000000000000001385117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.800{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:f8c0:7e28:8c9e:ffff-63577-truea00:10e:0:0:0:0:0:0win-dc-429.attackrange.local53domain 354300x80000000000000001385116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.800{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52136- 354300x80000000000000001385115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.799{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52207- 354300x80000000000000001385114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.799{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52207-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 354300x80000000000000001385113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:03.799{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61538- 23542300x80000000000000001385112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:04.288{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE13926C8723FA822F4FC5A53F0CBEE4,SHA256=C1AE0CEBED854327FCA2CC053472FB521EF24DC0060502A6D4A2FC3BDE4634DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:04.438{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03845A0266AFC4B8AD6C5B90D929BE01,SHA256=CFD2D757B65B5FA968C359705657A5F5A39A13EEAC320466B240354C6AD6F55F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:04.189{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2305270B968E56696883687352A735CD,SHA256=07639A0550AF31283C849873C95E80F45ECCD42AA4346756F2AF4DADB2DA022C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:05.626{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC41C17E1319D39DE667BE9571F6263,SHA256=12961BCBFE8FBB8C5CA82770C6C95080FD17D20511CB4D46265D7172315A094E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:05.274{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-30190-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:05.205{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-19367-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:04.190{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-26686-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:05.303{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43BC306D0A16B52EDAC25D0CBFD5270,SHA256=FB81B1EFD2C734D31AB57CC56FB3C2F97133BB28AFDA383004B35A454EBBB00C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:05.563{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E479F2A1CDA167A2A1BBC6856840478,SHA256=D7DE9AE7B4574C2B6CC28D604FDEF2CD742F68A5A8EB30BFD0DC342563B1DD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:05.272{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F62A7FA94ECC55946AF0D3E4D447FF91,SHA256=002694153B4008F9A0AFA72577B1BA226995C1505703CC153BA65F72ABBD1225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:06.955{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F14857FEF0B781B599EEC182845E7D3,SHA256=AA55056789BEB4CEEAA2C70A7FFBCADB082465383408DF8D65162323622E6CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:06.642{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0D874AB2DF72086A09EAC35754B106,SHA256=49EBD08D2F76A97405F5452F16A5EA7A074145601724712B9C05713358BBC2BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:06.305{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-26943-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:06.402{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4F62CC61EDC51B7CF974DA2929DE076,SHA256=9E17057983138D0EB8765F1AA4DA905BE29927B03C74058A9ADB84790C9374C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:06.318{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F8B70317CB3A5AE77CF1E7E1529F6D,SHA256=824D72C63BB4F79ECB1E3CA01996B15BC859C723D0E25DB80C1ADE8A1D699114,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:02.826{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-47937-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:01.693{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-42529-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:07.642{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3063C6203533A912A50FCB1C0D9F535E,SHA256=7470B53351DC661320CC196E73BE42602269912DE93BEBD04FF944EFDB4A089B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:06.883{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.89.190.250-53474-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:06.368{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-33577-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:07.536{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16CA14B7EFA3663B3B41F0464622B845,SHA256=072456ACF3654BE456E1AFA66302FD3706A2B5C56A5A21138B8E59A9D2AA97B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:07.336{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E6309CD379108844DC9E1FF20B8F7D,SHA256=F86ADBC8DE9FA15E89CE5C0025308BD656E6BB8E22E8D8C43A030060E9ABE525,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:03.951{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-54083-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:07.241{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5720MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:08.558{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-40676-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:08.166{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local58993-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001385136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:07.688{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-35983-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:07.471{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-37199-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:08.635{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8D403157E59D70AD9353C3598BC9B0F,SHA256=B9CD31BC686C8BD640BB3C849BA2B852FAD076A048AD6557E833442C7931F05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:08.354{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73887FD64A7E9102CFBBF1BF82862F4C,SHA256=03AEA9083976BCB7939D505E846ABF6281EAFAE7D09969D93219568484C2661E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:05.327{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-1885-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:08.656{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA4F993F7740679E15F9992F1A45A0B,SHA256=96E4B7EB55432BE1573F49A01D2CA4CD95904169DBC887B47A6F4B1AEEFAC77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:08.253{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5721MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:08.033{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C160AF0F7288908D0EDCA30C8D34AD7D,SHA256=2E04701A422AB6BD46EFDC89B25655D6BE9FC41533080D87A47CD175A5D5BEA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:06.405{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-7880-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:09.658{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F313C581C8ABD958AB610A7CB5D0CC5B,SHA256=CCD5A25B672CA9C846A915B23C5CC43D07D7977C223E2AD04EBB75041600E847,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:08.868{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-43985-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:09.715{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50AFE971D81EAB18AD0C8850109F1CF4,SHA256=7A55D34C1D74E0A6678AEB19C64340A3E9B20D5898328A320D4DCE1335A8843C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:09.715{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=D9957A84FB60C35EF54CCED2075E7A60,SHA256=E20222D23A7D134C28AD63D9CB170EDE6E69A9A0696BBF8D0BF18FAA07B7F49C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:09.368{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D451253D3A75715954408F509E3F0EC0,SHA256=20C8A8606FEBF95683CAAFC16B3CB148FD90DD1DE15BDB22FC2793F792DF67FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:09.111{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18566F3ECF85D97EA0CC7DA7F745B1C4,SHA256=2C11FC9274224F52C5C8214BC58BBC994CB25F92295BD90EAB44436930499021,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:07.498{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-13130-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:06.494{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61708-false10.0.1.12-8000- 23542300x80000000000000001291714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:10.674{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD56F003331B858BF1D801A5189349B5,SHA256=73834E6B61C730658AAC251E8F977FCF04BDB95BC657CF04A5E3C0C4C256C957,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.984{5EBD8912-DE4A-6152-8528-00000000FD01}66806000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001385164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.869{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=690FF29D9F719BE6176775DB8CF37E0C,SHA256=39E8301CB37460BAC5539073D5C09923F60F3E0B22219E3995704237755D440E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.001{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-52326-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:09.649{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-44081-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001385161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.816{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE4A-6152-8528-00000000FD01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.816{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.816{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.816{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.816{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.816{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DE4A-6152-8528-00000000FD01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.816{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE4A-6152-8528-00000000FD01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.816{5EBD8912-DE4A-6152-8528-00000000FD01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.800{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF6E7A02312E674F274E8ADCA7A78752,SHA256=A82AE7BA1AD20A9CB3FA4DEA13095255B6D40052B5F5C613C5B224D9590270B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.372{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACBD71DBB51AE2E3A48F20282626462,SHA256=85271F5477EED8FE07D2C5B360C14D99E815E865F1FC1536D19E4D62493990F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001291713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:10.377{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:10.377{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:10.377{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001291710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:10.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DD43F127AA3BCC77B536924FBA57769,SHA256=2D08C0B7EE490EC95B8A2FB74D4ECD46CB01C61AEA972DE07220C654E885678B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.318{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1403MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.152{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE4A-6152-8428-00000000FD01}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.152{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.152{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.152{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.152{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.152{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DE4A-6152-8428-00000000FD01}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.152{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE4A-6152-8428-00000000FD01}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.153{5EBD8912-DE4A-6152-8428-00000000FD01}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001291733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:09.023{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-20964-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.783{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C427CEC4F5DA7A45509F80A37913BAD5,SHA256=BFBD86D0148AB8EAA059C5D0627901D0A82E6E91747718402ED1F6DEED0EF340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.674{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD2D892BB4CB597A4099D1BD602CB71,SHA256=D2982C8B27BD8C904414D676B9079B58EE9893B705E5C1767B6EF03DF8ECAC72,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:11.831{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-51001-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:11.172{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-1416-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:11.137{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-14263-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:11.113{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-14170-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:10.731{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-47563-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:11.836{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8E27D51A7868AE8453355DF35A658C5,SHA256=57A603C0F2655EEEEBBA3F4EA20763F05E6DAB10BCDADE17C97880BE3CF91F2E,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001385174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:11.515{5EBD8912-DE4B-6152-8628-00000000FD01}6772C:\Windows\System32\taskhostw.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000001385173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:11.483{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:11.483{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:11.483{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:11.483{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:11.483{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:11.483{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001385167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:11.375{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E0466412342103A74D09F6BB26C907,SHA256=85E535EF937E5A16056FBFEDDBAE3AB3DB3A447E4B1BAAFC6AA38AD4F1ABA6ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001291730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.643{69CF5F33-DE4B-6152-79A1-00000000FD01}35481896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.424{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE4B-6152-79A1-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.424{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.424{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.408{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.408{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.408{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.408{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.408{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DE4B-6152-79A1-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.408{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.408{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.408{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE4B-6152-79A1-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.408{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.394{69CF5F33-DE4B-6152-79A1-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:11.332{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1404MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.861{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94C0258C67FE9DA5D459EA6D29CAEFB5,SHA256=61666A4A1FC115D15CA5B5AC06FD3015181C5FDC4519E0AE300F15DD3D3B4FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.689{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B251F8A03B3DFE265D2EE80EE0A13050,SHA256=0CD79A0CA0BF09044FCDE0759D9693F63EE89D68FA70B48180206775E7572186,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.539{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local58996-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001385193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.528{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local58995-false10.0.1.14win-dc-429.attackrange.local389ldap 10341000x80000000000000001385192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.751{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE4C-6152-8728-00000000FD01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.751{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DE4C-6152-8728-00000000FD01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.751{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE4C-6152-8728-00000000FD01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.751{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.751{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.751{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.751{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.752{5EBD8912-DE4C-6152-8728-00000000FD01}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001385184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.514{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58994-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001385183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.382{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11B4746F670E70AA6EC48427760EDFF,SHA256=D5ACA9AD8C48EEFD3D8B0EBC7C912F9D796C959187F6A25E850A40F92D61E73D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001291747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.518{69CF5F33-DE4C-6152-7AA1-00000000FD01}30402540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.112{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE4C-6152-7AA1-00000000FD01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.112{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.112{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DE4C-6152-7AA1-00000000FD01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.112{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE4C-6152-7AA1-00000000FD01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.097{69CF5F33-DE4C-6152-7AA1-00000000FD01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001385182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.289{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-8224-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.225{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-20070-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001291779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.986{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED3EA84250F451130F741F6B6AD5B5B5,SHA256=3C1BDC923037497FEDB860D7D77EEFFD5C0BFB46F02C11AC57A69B5E9F62DD9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:10.156{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-26842-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001291777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.877{69CF5F33-DE4D-6152-7CA1-00000000FD01}35882616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001291776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.705{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4133591FDFEF583399E90F5BA38547D,SHA256=21E8B295415B08FA2DE5C15986FAE6EE59ACEC25CF704CC4AA41601813495AF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001291775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.705{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE4D-6152-7CA1-00000000FD01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.705{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.705{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.705{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.705{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.705{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.705{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.705{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.705{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.705{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.705{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DE4D-6152-7CA1-00000000FD01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.705{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE4D-6152-7CA1-00000000FD01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.690{69CF5F33-DE4D-6152-7CA1-00000000FD01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001385212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:13.467{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-15946-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:13.357{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-25905-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.936{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-54489-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001385209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:13.635{5EBD8912-DE4D-6152-8828-00000000FD01}64165780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001385208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.539{00000000-0000-0000-0000-000000000000}6772<unknown process>-tcptruefalse10.0.1.14win-dc-429.attackrange.local58996-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001385207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.528{00000000-0000-0000-0000-000000000000}6772<unknown process>-tcptruefalse10.0.1.14win-dc-429.attackrange.local58995-false10.0.1.14win-dc-429.attackrange.local389ldap 22542200x80000000000000001385206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:11.546{5EBD8912-DE4B-6152-8628-00000000FD01}6772win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\taskhostw.exe 10341000x80000000000000001385205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:13.414{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE4D-6152-8828-00000000FD01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:13.414{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:13.414{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:13.414{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:13.414{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:13.414{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DE4D-6152-8828-00000000FD01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:13.414{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE4D-6152-8828-00000000FD01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:13.415{5EBD8912-DE4D-6152-8828-00000000FD01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:13.383{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20FA3C0CD90569BF8DFCE99A19B4F531,SHA256=BEC1AD3169700652DA1C2EC1F1A9C5860431697DD88107A83DB80F029DF7FC11,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.514{00000000-0000-0000-0000-000000000000}6772<unknown process>-tcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58994-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 10341000x80000000000000001291762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.018{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE4C-6152-7BA1-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.018{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.018{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.018{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.018{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.018{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.018{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.018{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.018{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DE4C-6152-7BA1-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.018{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.018{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.018{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE4C-6152-7BA1-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.987{69CF5F33-DE4C-6152-7BA1-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:12.997{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2620FFFDD5270998357E35A5D65E429B,SHA256=C238DFBCED6974A0A1BD755EC5CB6BB039E22E2A87C808B835F03ECBA09F895E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.588{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61709-false10.0.1.12-8000- 354300x80000000000000001291794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:11.260{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-32783-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:14.877{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA866E5C3174ADEB43BDDD16CA398FB9,SHA256=FACAECAA071B274347D64A47207167608A666626AC2FE5FC0597D150928A9BF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:14.545{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-32279-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:14.178{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local58997-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001385215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:14.013{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57815-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:14.397{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2002E4715D46F926F4BE3AB8DD744218,SHA256=120F0C5CEE76DC00626DDFEEC517393FE3DC21A772824F29325F059C507E298E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001291792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:14.393{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE4E-6152-7DA1-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:14.393{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:14.393{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:14.393{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:14.393{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:14.393{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:14.393{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:14.393{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:14.393{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:14.393{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:14.393{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DE4E-6152-7DA1-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:14.393{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE4E-6152-7DA1-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:14.378{69CF5F33-DE4E-6152-7DA1-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:14.082{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2208EA761BE9E886D4D94D2126F76692,SHA256=D9C2FA33671A45BF990F5D1BD056201652351F66F281552CBA16FDDF8B06C89A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:15.955{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C9758FAE2F99A785A88CE450E97811,SHA256=218D292D11F2115FE7CCCCE2CDF0EFD7F9D860E32883DED07CF00B5BF65D676D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:12.398{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-38605-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001385264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.621{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-31159-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.612{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-3778-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.587{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-30675-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.574{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-3728-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.539{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-30138-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.528{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-3647-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.504{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-3590-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.482{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-3519-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.460{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-3459-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.436{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-3327-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.430{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-29986-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.399{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-3209-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.387{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-29776-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.365{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-3089-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.364{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-29518-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.328{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-2969-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.326{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-29320-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.302{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-29141-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.290{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-2853-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.279{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-29004-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.256{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28730-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.253{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-2741-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.221{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28549-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.218{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-2674-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.197{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28246-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.195{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-2552-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.161{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28075-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.157{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-2482-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.135{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-27758-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.135{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-2359-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.098{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-2297-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.097{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-27605-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.073{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-27331-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.033{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-27167-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.010{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-27028-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:14.986{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-26804-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:14.960{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-26662-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:14.937{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-26514-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:14.915{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-26336-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:14.891{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-26168-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:14.868{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-25997-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:14.845{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-25755-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:14.810{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-25528-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:14.773{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-25313-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:14.738{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-25155-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:14.714{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-24986-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.412{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A083EB41E8AAFF9B05351D83F876EFC,SHA256=C48FC714795D3EC66A2C4883DDAA11CBBC25D365181354B4CC47F881A0A35933,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001291810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:15.268{69CF5F33-DE4F-6152-7EA1-00000000FD01}3412416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001291809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:15.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4C0505AA532E2B114996A271D78CF47,SHA256=7DB840F7A9708B7D07D3BF7D4FE715F1B2DADD74E4D8E1CFC44F5C8A56A7BA9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001291808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:15.080{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE4F-6152-7EA1-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:15.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:15.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:15.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:15.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:15.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:15.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:15.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:15.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:15.080{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DE4F-6152-7EA1-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:15.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:15.080{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE4F-6152-7EA1-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:15.065{69CF5F33-DE4F-6152-7EA1-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001291815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:16.986{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC59F89CB9EAF1B79327B698FBB0BDB,SHA256=74EB5AFD6724B8EABDD87495D37652B46E1B29692620F98B2D4FE0C23A90872C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:13.546{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-44252-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001385274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.896{5EBD8912-DE50-6152-8928-00000000FD01}49206444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001385273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.864{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5DFABBE4C7093CA542C0762AE7F0F4E,SHA256=D692153AB0C9E20C027D90228FDDEE3DF182581009AD632B7E0C6A89038EA171,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.696{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE50-6152-8928-00000000FD01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.696{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.696{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.696{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.696{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DE50-6152-8928-00000000FD01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.696{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.696{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE50-6152-8928-00000000FD01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.697{5EBD8912-DE50-6152-8928-00000000FD01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001291813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:16.299{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5A715EB5DE4333D354A5C7A1CAF8AB6,SHA256=A332F8E7D8898B84A4EA05B8905DF14D69EF24A804AB47E14160FF21BDDB1467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.982{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99716D9CD3E7231C867A8E8F84E9DE7E,SHA256=0F448B0DE0FECF5A4F581A14E5F0C244896534F047ED9EE130C934A642D5CE39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.710{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54667F9E9610B4C0234749B0842262AA,SHA256=2718B531FAD87916412E02B579B8160AAA91EED6B79FEAE2296FEEDE9028A63A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:17.455{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DCD4F5BA3BFDA0748CA982385C83A0A,SHA256=225778A36634578F268E59E423ADAE49062DC5EB3452BCE2E77E54792835931B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.548{5EBD8912-DE51-6152-8A28-00000000FD01}67605128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.364{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE51-6152-8A28-00000000FD01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.364{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.364{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.364{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.364{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.364{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DE51-6152-8A28-00000000FD01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.364{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE51-6152-8A28-00000000FD01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.364{5EBD8912-DE51-6152-8A28-00000000FD01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001385312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.736{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-43723-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.714{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-43597-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.692{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-43278-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.654{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-43081-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.632{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-42940-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.591{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-42885-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.568{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-42739-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.530{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-42639-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.508{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-42530-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.487{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-42350-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.450{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-42227-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.427{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-42108-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.405{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41981-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.384{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41864-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.361{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41753-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.340{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41582-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.303{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41387-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.267{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41204-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.230{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-41081-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.207{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-40955-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.185{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-40858-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.163{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-40754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.141{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-40607-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.105{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-40438-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.068{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-40240-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.029{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-40075-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.993{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39819-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.958{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39648-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.935{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39449-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.886{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39397-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.863{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39243-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.796{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38669-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.745{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38599-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.719{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38513-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.697{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38378-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.674{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38258-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.652{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38137-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:15.630{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38019-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:18.731{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9EBE749B4750D6ABF719F422668F5A,SHA256=3C90ACBB263DC9F87EB56CBCB567DCA75DB4897EDCB7416D062C872ADFF88C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:18.534{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AD48D9A7276FC1B2766FA317FEBA985,SHA256=158AA7D26D60C9FA44D59DA73FC0C15E05E35211F1D770A8D03C6FD0A7B7926E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:18.018{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03AFC58894C6F322BB2F6B468C0E57E,SHA256=4C5A4F9EC5B2538B837AE3E5635CE4E2E543E2D23EC301F3E94723598713E1DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:14.682{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-50138-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001385341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.341{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-46886-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.319{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-46754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.295{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-46383-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.206{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-46061-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.170{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45831-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.132{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45617-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.095{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45434-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.059{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45338-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.036{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45211-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:17.013{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45095-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.991{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-44901-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.954{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-44798-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.931{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-44477-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.883{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-44323-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.840{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-44268-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.817{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-44107-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.783{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-43974-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:16.759{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-43841-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:19.746{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1160D61161DA914154FD7F4FE37C1CB7,SHA256=2E56B697B00271954CD879792F34770800A7642061A344F28CC3B99EEC44F5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:19.831{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F40631197E539FEDC487FF6C53034AA,SHA256=CCD18E26932E4D0A8EC18BF8B344BF1A983FB071D1D33B62720BB5A675D64DC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:15.827{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-55838-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001291821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:19.174{69CF5F33-7F27-614D-0B00-00000000FD01}6241576C:\Windows\system32\lsass.exe{69CF5F33-7F0C-614D-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001291820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:19.065{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E4E2B2FAE6B4DD9B2F3458BB66D496,SHA256=8EAD6F10E1D7103F26A051B9C7B0CFB0D47635CE3C0F0DDFADC2C6F41B405DA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:20.219{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261710-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001385355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:20.216{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54259995- 354300x80000000000000001385354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:20.158{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local58998-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:20.761{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63BCBD85CB6C53DE1D66A2BC451FBECC,SHA256=3359AE9432E97A0967BCBB72FA60490E90D4FE62593AE6722CC470B72297F291,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:17.004{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3012-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:20.096{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9543E1972C1A69D431991F06AC90A568,SHA256=2FDE16F0D575CD29DF886B60977FBEAFEAD29DBBF72E5BB10E9E67F8EE6C70FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:20.246{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FEB1DDC8317B6393C89B5D19DDB101A,SHA256=B1D0E7D3185FD2F8AF9FDE37EA1FADF2C3D25F14C8343160C533A65DDDFDCA2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:20.031{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE54-6152-8B28-00000000FD01}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:20.031{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:20.031{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:20.031{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:20.031{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:20.031{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DE54-6152-8B28-00000000FD01}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:20.031{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE54-6152-8B28-00000000FD01}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:20.026{5EBD8912-DE54-6152-8B28-00000000FD01}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:21.792{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E5C4883398EA87FBC7402882970155,SHA256=B20022555F467229E2FF0E21079B42FB86DA8AD8323C300B6408B9EC1A59CB65,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:17.573{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61711-false10.0.1.12-8000- 354300x80000000000000001291832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:17.532{69CF5F33-7F0C-614D-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61710-false10.0.1.14-445microsoft-ds 354300x80000000000000001291831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:17.530{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-542.attackrange.local59995-false10.0.1.14-53domain 354300x80000000000000001291830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:17.529{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c8a0:5491:e98:ffff-59995-truea00:10e:0:0:0:0:0:0-53domain 354300x80000000000000001291829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:17.480{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-2557-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:17.434{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-2344-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:21.112{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0709101ECAE03AAB7D1BCE3CE3F336F2,SHA256=CEE0968FF7B2083449C7194B7E2EC5718BF4D5AA09669AAEC849A666D519B001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:21.112{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47218E3078A670ED830E4FCC9D8191E1,SHA256=210B391BAEF694D7AEDED140C16F9E03E9F669EA41018E115BF0C63CF1C86714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:22.827{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F32F24FDC87732981D32F6732D6E34,SHA256=6F9031DFD3A5E08AAD34F993B877764A869F07138EB74F69B5B6B50487D642B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001291849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:22.518{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE56-6152-7FA1-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:22.503{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DE56-6152-7FA1-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001291838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:22.503{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE56-6152-7FA1-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001291837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:22.488{69CF5F33-DE56-6152-7FA1-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001291836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:22.190{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4244B9E142B4440078B29D79A1BE34CF,SHA256=94A4EB37A96ED99EBB968F53BA4EEE1A1ED89EC1EBD4229AA1B0F5DA850A6DB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:18.384{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-9409-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:22.128{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C271E1EC95D6CAA1AB45BD3C6479961A,SHA256=43038A83784517EBCEDFD6017C9A2D609BAAC1D73BD88C4D6832C17A513853EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:23.843{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BBBB286E45E6F32E7456D14CE37AC09,SHA256=6AB459F086C01A319DB3AEE6188E64DD5653E2A782E15F8DC3EA4B1F5DCD0EDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:19.873{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-15094-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:19.484{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-15242-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:18.627{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-8359-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:23.299{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3496A492A3A9A45C4A2BE7F04DCA4B17,SHA256=467A9FAC0D366EA798D3A4323C64CEFA29BDB346163370649DCC175A04C5C9CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:23.143{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68DACF2104653CB6C9E48C6C4298E8E6,SHA256=D59D8BCE94508A495433EB867FAB0089BDDE980F2FB189A5F9A79FD45A8F7BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:24.874{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68BFFF186A3A24D15F4F4947FFF5F029,SHA256=12A73A02841FF64C191772CD90B4E202465AFC348F3CE672B04DACBE884284B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:20.586{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-21043-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:24.424{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B940D001AB3235A1B15BF2A3F007D94,SHA256=179DEFDE194AED8D429477334F5CC7CABE52E670F671AC0FF6627FA371FAD502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:24.159{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07855D9865C9072D83933B4DED471BF9,SHA256=169E5E244BCA4487F1837F667638362A7CA4D761FB82F18FB3AB463D374DDB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:25.888{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8949F386FD67FFBC9AC630173AC581,SHA256=24BD99CDE148AEB9A445FFC7F90CF92C3CCC7038F7759ACF0B42733287A67EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:25.534{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75627EA1B9B1C251976FF01D7288C0D4,SHA256=CA4E69DA27E5DB4754FEBFF29BE45DAE86F29DE43222B3A8A64AD2DC3B14B2FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:22.169{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-26969-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:21.687{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-26377-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:20.951{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-20857-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:25.174{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A59237FFC34F78347B9122AA016489,SHA256=5909812479B89AE8F737C6C7F98B731DABF92BCC1B54F3B97874D60122992046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:26.940{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9167EC07108AD550CD78D12568BAC9F1,SHA256=157F67ECE8C54E6DE35F31DC46B1B3D93FD37205BB0F0ABF5D7A2E243C2F2F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:26.659{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8C7E4004877911899F0882A21225534,SHA256=B0F04A8C264C28FF7BB10A397344E5E9EEDABD8AB7640B16E81798945783B3BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:22.800{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-32446-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:26.190{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05210179D89CA0E444C28573604C08C5,SHA256=E177BA4A264BEAF83220801393ECCC4812D566060D25445F5DEE3486E66094FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:27.955{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A815716AFBB573DA05F4B65E04F5AA,SHA256=CD538AB21651CE21AABDAEB933627699267A4EF26CB187A0EB6624BBFF358FFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:24.431{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38258-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:23.919{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-38111-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:23.432{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61712-false10.0.1.12-8000- 354300x80000000000000001291867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:23.295{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-32594-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:27.206{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7752D7630EBED9A52937BCD261C0C54B,SHA256=A2C3D6AA09D4B2CFE50EF0BE671D40BA6CB818FC1F0DD87D52792777F56D5F41,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:25.240{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local58999-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:28.986{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F0F6625A6583C25FDD33810764EC1B,SHA256=D60DC66D676D122A0A45DCDCB8200CFEF55357187B8711FC22DC49C86697AD44,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:25.043{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-44169-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:28.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8434708004D48C77666343217E5015D,SHA256=CDE32897A403CF4A87902CCEFD91DB18A8D778611F40B3769AEFD8186872CC27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:28.003{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3538FB51AD4D0F64D3FCB43597BC1721,SHA256=510538D0DADEBF25DE78FBC0E5851CE050846ED2893A8334D6B2CFC6434BA53F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:26.657{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-50043-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:26.374{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-50424-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:25.576{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-44252-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:29.237{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89617DFD153A1F6D81B59D636E7AD62,SHA256=8C5864396AFE1A20CE95D9697DCD4E4B013B69963AFDE51926CCE7EEFF4105E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:29.081{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D960E98E45BBC2B24B039377890034E3,SHA256=FA44E372DF4D91B2EF414EC11516E1A68E31AFFB984C7437B94D07AC9BEA04C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:27.476{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-56226-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:30.253{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2188FA0B5EC6E4D62495931BD8A6E50,SHA256=822177B0100156A42B4F6E0B2D2CC5AAB2E2AEE116FF431B6DD986649DFB3199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:30.001{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9EFE71A1E1EDA0549BB866CD9D32790,SHA256=E400FEA0382C90FE353FAEBE28A1CAB18EA83240A7364E6D55D4444CB933F89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:30.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4224F18487B61CB8EA7B96681C228BAE,SHA256=C68ABF3EF06BA7959A48A4D7B13B0F3FBD038B56A3EF0F21E6DC6D254C0E3000,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:28.905{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-2754-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:28.593{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-2428-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:28.510{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61713-false10.0.1.12-8000- 354300x80000000000000001291884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:27.827{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-56196-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:31.331{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5CBB7B44265E17894B8947691CEB4C,SHA256=679386233AA151256C5B81443F09762525006B22C31C4DEB0F45D320BDC0DB6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:31.219{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E3EAD081CAC5409B7C89C6575F69505,SHA256=B5752C0B2AEE457250414FB6B2B3A4CE0E0C23AE3286D1C9B39F0D8FDBDC4B55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:31.218{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11A1A5B1B323236736C80632B85256C6,SHA256=F8417973A10609B6C46D382BEAAA44480701FE9CA3F581D7CB607E355EC2ECC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:31.018{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89E357AB18BB146635BE107DA5C42BB2,SHA256=DDD309A6ED89DF73C2EFBE7B06A65E2943E829BD6B1D7863CA2F459638C9EA50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:31.315{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6F50384167907B95CAD4F3BC46739EE,SHA256=7361AAA63132441ACE0CA92F4EBF2C83B73AE31B2E35209ED9BBEE43A69D653E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:32.565{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB87F474170AE18035AF1850CD19673A,SHA256=E86D64D4B5DC60D66D99E873082159CC46D8AB07D81D7E71E041B8F1B5DE89A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:31.116{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59000-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:32.052{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68D72E5D627FF708972B77781B0D3E1,SHA256=4AF9BDC8E40805521D70018D9273B096BB9478935059E0561B6B941D41077A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:32.440{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7403B582460F8BEA66B7A17577B7384,SHA256=4E3D3D68F43B5B6D0512FDA3A204C62B37177FD6E486BB80DFFC5F85D79371AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:33.721{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD01CDD76D1D91C76276BD36F10C250,SHA256=9567FE6EB6D7EDA114096B5BB45EA91E88725DC8A2A5B989706783AE25EE9066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:33.706{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D4C1F83C71B7EADE30456E26C4A707B,SHA256=A1647ECB082AC9C0886FBCCDE04F559A4B6D2C9D1090246D5BE1A087CF4E9EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:33.066{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99A8183187B2FF25599A52530F40272,SHA256=36EEFCF782944BDF8CB7821FFF91D72D4247D9DE2ED06CB470779F7C541A137C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:34.878{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCF6BC10368B3B6F34C124E2CF5FC28D,SHA256=AD3432DCBD9C8A6C46720C807DDF6AD9B059DF76664B4BD6E2376C9818285D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:34.737{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C56A8E3104FDF8BD37D46DF3A8897DEF,SHA256=05E259FD2B0EAA2E852238E2DCE9F63F05D8EC8C84AC092DC5E419484AA62BF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:29.983{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-8420-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:29.703{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-8217-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:34.082{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ABFEF71182626569173CE3FB8231511,SHA256=ED142122DFAF32D8885040D7A840ECC3F1BBE72FE49D81FB4FFE98B69AED8B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:35.737{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4D428F3321310538C0DCCBE0739457,SHA256=DCBEB384CE4B1A9F6FD250B6EED99D24C836823D1BB45EADDB4D01C894015888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:35.096{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD74FBA0BE19EC344F933AEC2F9CFADE,SHA256=50C144BAAD0996ED0F643D974D0A1DB12AE3FA1F87DFF5F100FB9882D1066948,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:31.061{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-13773-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:30.840{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-13916-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:36.831{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFB5265DDF51B7DD6E6CB9DCD9A50F8,SHA256=E9BAB0D88340E7C4C5E6CAFE8F28A3A9CD457D283D8CAFEAE9284431C7ADCA76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:36.112{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C10C25C3D36005CDD6E38A254E24351,SHA256=1EDEA01BAFF28CB0333E993618AB9FE382765B564F71B647035F62AB4A74FDF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:33.364{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-55463-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:33.307{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-25443-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:33.266{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-26815-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:32.161{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-19669-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:32.078{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-20420-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:36.018{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0107DFE6BB74BBE342D21E1089A1DE0A,SHA256=FA82427D287EAA924114F500489AD4C7EE8F645879D0112FC4CFA761C0901799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:37.831{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49A04692493B9F161DF3797F7AD690D,SHA256=130FB0963C350619E6DA3227A8B0F1D95285DDF9AA6068CBA660BC66AE064CFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:37.146{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3810575A5F209751E6463E8AC637780,SHA256=7CB256C183A26D5245CA6F9BCD4349D50AB7F809C392847D044DED0E6C67A111,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:34.420{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-31560-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:33.557{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61714-false10.0.1.12-8000- 354300x80000000000000001291907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:33.414{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-55649-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:37.237{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28F934EF9A70F15EDD748025CBDB17EC,SHA256=A859251C4053F8AEC46E78949BD44963AC192F2CF3FA78EAACA431FC139B6F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:38.833{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810EFB83EEB776CC0D78111EDA12DC60,SHA256=57B870B3C031EAFDB86FE1CFD341625AA42CB74A363E098ED8390DA3EBF08866,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:37.128{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59001-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:38.161{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A6514A23B9E9803BE7F61FCECCB658,SHA256=B2A1BB6E90E760C2A3DF09CF451DF135CA231236ED5EBC7A68B202764A62EA7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:34.530{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-2223-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:34.508{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-32997-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:38.364{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=541BE50D7D1B7FBF7A93AC133776C6B7,SHA256=F6BF3991EB85CFBBDE633A65AECA715877B1063BE61F0DA789BDE9083EECE92D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:39.833{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52F63A15A8241E3B1F003FD64BE77B0,SHA256=60CA3CA9B51DD4090E6E376132038E2F1E0EA9B613B1F897E8473FCE929E9921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:39.193{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5C4428EFEA2E4E09F8F58ABAB55FB6,SHA256=E2AB7C72C214B238AF12E9A89F73825DD81DF7AF4BB1A6F765886F8919662389,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:35.939{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-40154-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:35.848{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-38221-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:35.624{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-8280-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:39.443{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA72C33F984E600CC86BDD07ACDD25CF,SHA256=1DA8442312553C7249317089DB2B06FC08D6CD59D7958C4D9652E95310A2DC03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:40.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88153B0FA261FF76EDF0C964FFFB7A8F,SHA256=0C762AB66AE7BCC9BA4453FD78C3934BE04BEABBC3F67D92A8396F1DE12C44FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:40.212{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6587A46FA9E044E4BB6AE04E36B310,SHA256=F5CF821A96B2995FB0EDB86F07B347B4A8EDE80963AE82C70004570E6E8AE9F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:37.051{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-45930-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:36.956{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-44158-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:36.736{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-14382-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:40.521{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3DF65DB2260C6C2308BEB4740BD40F9,SHA256=D07A386A245C8F6CA22FFFBA7FAF220AF07418732D5C50DB17800FEFECEA8C3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:41.896{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645C095F20FCC92D730EDFE4D1324CB7,SHA256=AFB5EF9C64D64146B5CE22BDB0D62D207A665BE8D5BAAB9434D26E40C5427534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:41.249{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4281415DFC66578D36DDAF6ABD6099B6,SHA256=03668EF87EBB6FD3BA909704D64A2D3A588638FE71451F00A8413F00320037D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:38.189{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-50664-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:38.158{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-51477-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:37.814{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-20112-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:41.646{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FC3E80F1B6FEA1FB69C19417A024F1E,SHA256=208CF6E7D2E50CFA8737994EBD45D38D01E99E956CF36CB2A566133E20F14FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:42.911{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320744F880405630F5FAA19E541BA1DF,SHA256=E4501CBEBF9F6C929C49D15E8CFDCE69041A9464CC7A8F7BB2386B70271DB647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:42.279{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E7C1C354C1A8DAF687DA9D270C5567,SHA256=B0A73A06ACC88B5D4B5BFCC17EDE0F7383EA6016BB998BBE5C680FA2FDF80568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:42.724{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05B6664ADC1A17036855A7C30A7FF216,SHA256=81A327B3F85BCA8E48E1166E2B1736D8013BD6454BDC984E0E40DD015A42F589,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:41.095{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-37125-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:40.541{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-3832-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:40.422{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-4175-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:43.927{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3B3D8A8C3682F4345978A310375192,SHA256=0C2583D37B5085CC4D1F458617DD8D0984BA2D5D0855AD09E3F180C1109831C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:43.091{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59003-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001385387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:43.091{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59003-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001385386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:43.091{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59002-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:43.312{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7721716CCD500BE223ADE8DD7CE0F23B,SHA256=B90BEB4A73E0AAA4C547EF4DD53BDC624386DC830E221E1995183AA2A3A6BEFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:43.802{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9030CCC2CA09C05F1EC789BBEE92C4DD,SHA256=BF22ECFB93C6EA898A11A89AEC6B5CA6774E787F60D326670E857BDE8F3815E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:40.019{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-31319-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:39.450{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61715-false10.0.1.12-8000- 354300x80000000000000001291934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:39.423{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-57104-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:39.330{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-57266-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:38.907{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-25779-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:43.147{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E0DEF296DA72D3CBF1E588B89A52EDD,SHA256=F650FB573778CD50D491C40B0E84C5C5C63BA2851A72949ADC41BBA7007FB118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:43.147{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E3EAD081CAC5409B7C89C6575F69505,SHA256=B5752C0B2AEE457250414FB6B2B3A4CE0E0C23AE3286D1C9B39F0D8FDBDC4B55,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:42.185{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-42938-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:41.657{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-9790-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:41.575{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-10041-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.927{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13329B62A1707C4DED32F51E8E16B44,SHA256=16DE6D6748E061FE1260AF8209628216B9420984170455DFB16E5F6D63FF22C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.927{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4AE2186080872ADFD1960C56AF019C7,SHA256=9E85A213F88F7A2E800B892E11E962518A794F4E33C0694117C6121E282D10A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:44.330{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CF183668BEE3F2788A0FC50F60598F,SHA256=93705E48FF1F5D517DB652C81AE6479A49B79C5DCBE6DC4AB34FE40EB72DF95B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.349{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2285F6FB556BC2C77DE95D8883675E6D,SHA256=8715B688DFC0266ABF15904FDF4F825E37499737A4FDCFBD34E11F03C89692F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.943{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1ACDE87560247211F431877B9C1C5C,SHA256=B0201D4433F797E6B33CA15C8F016E844C67A5740265FA9D8C63C4071434B41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:45.360{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D16BC4DB4DB76ADBE601B4B4910CC5,SHA256=2BC89F69771F9BAA6BB46122AC88C33124C13EE1E44B5919C0A4AEEE2E91348E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001291948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:20:45.052{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b44a-0x1dc19a85) 23542300x80000000000000001291953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:46.958{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E196DB554AD7E1A9F7857D973075E8E3,SHA256=28FB13EC5ABF2CEB343E448A169CDEF46DDD88629C27A023FBB26D409F6A5F4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:46.075{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse10.0.1.15WIN-HOST-542123ntp 23542300x80000000000000001385391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:46.375{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C429B25E98685C9B419573E790C6B4,SHA256=DD3B1F597C3922C44522BF6546A2F0A03A813AEB1514BD620046BF67CB45E669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:46.068{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B5088F9B5578861B416032FF518CD9E,SHA256=75A27D022F2BB65C584873DFEEB7E75090E143A6594F2F0198A8BBC9BED021AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:42.751{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-15465-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:42.673{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-15490-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:47.742{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:47.389{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C9269B217654A7CAA534D52783AC1C,SHA256=2985A2DC1B21CC6EE0E04630261E2AC918F30D2E96CDFE69F7B2C4FB89AF203F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001291970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:47.239{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001291969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.258{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-23120-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.236{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-23016-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.214{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-22821-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.192{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-22690-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.159{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-22389-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.106{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-22271-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.063{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-22173-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.034{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21967-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:43.998{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21825-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:43.977{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21600-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:43.939{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21417-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:43.904{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21231-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:43.815{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-21521-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:43.387{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x80000000000000001291955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:43.387{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse10.0.1.14-123ntp 354300x80000000000000001291954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:43.323{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-48866-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001385393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:47.127{5EBD8912-8CBF-6151-0D00-00000000FD01}9007116C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001385396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:48.393{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3962E98F26A94FE1C56BA9246112A75,SHA256=55C5108EFA5573EBB49DE0D37429A6D259A8D707C9AB8AE0E112EEE845331697,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.301{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-59048-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.256{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-58781-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.234{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-28891-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.208{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-28828-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.203{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-28309-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.194{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-58689-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.174{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-28665-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.167{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-28205-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.163{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-58496-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.144{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-28096-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.140{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-28534-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.126{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-58305-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.123{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27999-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.116{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-28312-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.101{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27832-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.090{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-58128-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.089{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-28146-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.066{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-28040-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.064{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27727-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.053{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-58009-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.043{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27617-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.031{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-57810-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.031{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-27773-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.021{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27397-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.994{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-57710-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.985{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27265-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.973{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-57602-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.963{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27017-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.962{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-27632-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.949{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-57491-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.939{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-27400-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.927{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-57368-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.926{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-26799-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.904{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-57238-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.889{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-26657-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.880{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-57110-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.868{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-26453-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.857{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-56977-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.833{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-56709-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.831{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-26241-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.795{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-26117-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.793{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-56455-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.773{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-25950-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.750{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-56151-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.737{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-25739-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.702{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-25621-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.679{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-25408-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.643{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-25226-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.627{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-55566-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.607{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-25099-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.589{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-55330-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.583{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-24860-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.575{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61716-false10.0.1.12-8000- 354300x80000000000000001291985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.554{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-55216-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.546{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-24717-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.532{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-55087-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.524{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-24527-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.510{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-54959-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.491{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-24413-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.489{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-54773-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.470{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-24276-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.454{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-54555-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.448{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-24116-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.426{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-24015-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.405{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-23886-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.383{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-23773-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001291972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:44.361{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-23625-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001291971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:48.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C49A7E7BED874A6AE505BC00CB6BC3,SHA256=A92DCA831AC317AE8D61A9ACA482C6D06DF0E6620BE28785AA5FC0920F32C1EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:48.722{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59005-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001385398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:48.139{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59004-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:49.393{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1F40BF110AD0B8878675D975AD7CB4,SHA256=7DB0DF31B081B0271FD74A93976BE918EA1145596B4694095345624E66AA6300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:49.302{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13D2FE4BBBB77D8F538EC47779E49F0,SHA256=C69AE8629F121D8EB907AADBF32CF86D91B4469E0AA33CAA60764BFF71EBF685,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:46.256{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-5324-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:46.219{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-5144-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:46.182{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-5026-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:46.161{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-4908-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:46.137{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-4698-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:46.102{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-4455-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:46.064{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-4341-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:46.042{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-4122-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:46.004{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-4012-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.982{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-3876-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.960{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-3743-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.937{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-3606-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.915{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-3469-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.892{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-3345-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.869{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-3199-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.833{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-3040-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.797{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-2930-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.773{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-2755-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.740{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-31565-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.735{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-2595-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.716{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-31437-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.698{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-2432-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.694{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-31318-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.671{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-31200-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.662{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-2307-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.648{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-30995-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.639{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-2112-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.610{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-30857-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.603{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-1938-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.587{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-30635-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.575{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61717-false10.0.1.12-8089- 354300x80000000000000001292056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.567{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-1717-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.550{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-30459-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.529{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-1503-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.514{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-30325-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.491{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-1374-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.490{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-30200-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.468{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-1154-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.467{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-29983-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.430{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-1027-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.429{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-29780-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.407{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-59846-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.391{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-29616-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.383{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-59661-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.368{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-29477-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.368{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com29987-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.346{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-59374-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.345{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-29319-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:45.317{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-29017-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001385433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:49.729{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59006-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001385432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:49.729{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59006-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001385431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.629{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C052073D0311500EBC4CC370C51177DE,SHA256=1CDC7434833824D6ECA00CC889C0CEBFBF535D93842FE812F1C9FAF0BD48D822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:50.442{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCE505664422B8A711F2521BE7EA662,SHA256=0310C9B86600A492696AE87114B078FCC9A54837141A1ABA534D469415B181E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.210{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.210{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.210{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.210{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.210{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.210{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.210{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.210{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.210{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.210{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.209{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.209{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.209{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.209{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.209{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.209{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.209{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.209{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.209{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.209{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.209{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.209{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.209{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.209{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.209{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.208{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.208{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.208{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.208{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.208{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:50.208{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001385434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:51.660{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27192532521C7BF8C6B1D3AD86F451B,SHA256=3697A6273089F4B8CBDF74A283852B31A53AF794E005B2749CF5FD19221F23D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:51.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982BCF09AACDE086D7A29A650FD475BD,SHA256=DF1DF7F13321AE85076355D38C66E3F32754549AB24CC128BD53F90D584FA032,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:52.674{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F037C39E933DCFA990042BD8DE2FCF4,SHA256=710032089B546DA9A04CB0B39BF66BD4533AE99F7D3192D8074E1C1423BDB974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:52.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FEBBDCED126CBA4D4D2737A2B12B648,SHA256=54986317CD425E82A3F53954D0345B03859E57938FEFA50E4DAF4E3DCE89069E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:53.689{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC25B681AA91AC2A7B034991E2C1869D,SHA256=AE4C20C76801DC95A31DAEF0F666C08E5D4BEA40E054D993840356365EA8A28A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:50.529{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61718-false10.0.1.12-8000- 23542300x80000000000000001292092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:53.474{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C601739458A1FDC95BF54C58E2098F,SHA256=A42C0C4E90F5B1FEFB368D7BC470527855493057E0B9FDE7950A068760923658,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:54.138{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59007-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:54.757{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BA6F40C722460D19809836A36F6224,SHA256=8D60B140C3E637303A1237A1122F122150E68C23B4B44D238753B8E43A1EE59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:54.489{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6C8F4F16366A70DCC983ACC6C613E4,SHA256=8E54757EC9B489E73E71AD516EF34EF89A6FE630B55230C30DB97A946E4BA73E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:55.787{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC13583222605BBB04C1EB1BCA2C957,SHA256=E715866AF99395DD19F04FC51A6918B78B74730EFE5A45F8C47A760CF5A0BFFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:55.489{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6641FADD45456076A3CD9A480C9361A6,SHA256=83552C1CF421817B6F57E253403CB697FA7E64FCCD97B1013CF5177251B368F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:56.804{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6D0F26D6E131F2EFC25E8F4C8D2C47,SHA256=06DCE2268561737556A6430621B7CE4BC7598B778E4750759AA79F5B80CFDED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:56.505{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04B40FF42C4E47802B311F9F8C70480,SHA256=21E57CCF7925AC57E2F51DBC9B5569F90324075CBF6CFD55A3B543CC5227B3C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:57.853{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7D69B29A52F426BD55527C7DABA288,SHA256=FAC5F1A3684B2B526BB24FA8D730622048150979F1AA560DDDF913FD819F0B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:57.505{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A7B42598288980320504D013BCDD7C,SHA256=108D0960F36B6E3447E03115888F2821F5EB9CC09CD0B6616CC9A0AEA508CEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:58.853{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88C5DA17049684423C261D46D05075F,SHA256=7ED0C1606AB9E9B89D01284C74016EAACFFF903D802BC10D36F696208DD0A77D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:58.517{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEF80B60A6C333C5B01B3495E7CC695A,SHA256=9544433D314D74B0AB7517960DD244CE3FEE194E47614FBEA4B1AC732E0FEA51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:20:59.868{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1412C9E0C02055292EA5615719D0E355,SHA256=91E60FCA3A1A06F494F9BF65EF523980EB167FC8AD6006AEA8C5087D5464855D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:56.505{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61719-false10.0.1.12-8000- 23542300x80000000000000001292099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:59.533{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F52BB7F65E3A108C203013A1E1FE211,SHA256=1514272DBFCDE171AF4F94C5AF2AB7586CFBE413C63C2EE7F3BA5B5F35546FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:00.533{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB03B84379B84D45771A340925F41321,SHA256=52B0AA581D77C967FB3F73CE85D0CDA40F17BAD513FD3BEC1C1735C44165BA6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:00.883{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126D144BEC78E67F6574EB83764BE278,SHA256=DEF25ACF442BD6BCAD9259F247853679E7B5AA432565F56178636B959693A265,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:00.049{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59008-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001292102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:00.517{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC152CE554CE518DD9FAAE88C8A95963,SHA256=8A072F234F3A09BFB106E288926BD2E6C74FE0004A311BBCE3ADA306BE1F34D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:00.517{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AE8032173696F06ADAB031055F893A6,SHA256=AF386397EF50D9F3A8735468559912482F422A69A5F4E7377F9A23EB71E84356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:01.901{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42516CA7DCD78637750BC73FC3DA2EBF,SHA256=891382F26AAFA62E29A4DDDB6630514BBC2AD538E5B2BD5C70BA30FFD070CCB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:00.552{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261720-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001292108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:57.864{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61720-false10.0.1.14-49672- 354300x80000000000000001292107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:57.784{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-8840-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:57.743{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-8693-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:01.642{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC152CE554CE518DD9FAAE88C8A95963,SHA256=8A072F234F3A09BFB106E288926BD2E6C74FE0004A311BBCE3ADA306BE1F34D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:01.533{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0463A730F656D674515014F29DBA049,SHA256=85CF377DB58FE3769DDBAA08AD56914D13EBDD9332A56C5256353F3B9982C9D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:02.919{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0820519B800CBD1CB754BC5158AB155,SHA256=4D62744B93CED26AB0B04975D94658DA75C681E3E8969646037096C9590ADCEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:58.907{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-14985-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:02.814{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=435739489B0738CF4C2C65646B6A5500,SHA256=091E1FB48B8A57FA76B7D1D8D1005AFF6DB9F77E3B4CBE0EC6E186698F2B7887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:02.548{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DF1E35C227463D63F70A4EA773D5B8,SHA256=79A081BD6A08696DFA70880328F8CC17BC25D9340C44DAE5C5AD884A010C4B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:03.949{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94DC1E526DF3CB8F149C90EA63CEA243,SHA256=CEAF9D62E7FBA94AAE879FBD303E80C9FD42263E70612A7F188DBEF95CD206E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:00.015{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-21118-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:20:59.680{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse106.245.140.119-64751-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:03.892{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC1D3CCFBE04E33162C4B927F0B83862,SHA256=EC48B3A736473EA795F299B65AEE707CB945E3DED8C1C56A15A12C3A9C7FEF99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:03.564{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5664BD174C272C1EF23C190DC650F25,SHA256=7C543D36BCD4349D73AF3CEAE8ADC7F6DF948BF6C11B4E720B83309E143EFB89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:04.950{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B4FD4C6CD13BE85B6A9261C59412BD,SHA256=F38B1CF8BB3785DFCB5ED20E72A04ABBA627E62BE50CC93C39FACF25AAC7A047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:04.970{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1194040E930F5EB4CAA7D656CCAA09F3,SHA256=A223AC1EAB8528B2485647C83E481EBB6E4ECB368258DD0C720F07F6C63E12E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:04.564{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D99001E63B8E49DE148D27F2EC54A11,SHA256=981284A4E79574CFC468E8DBA2999BA4586E9288699F2B818622D0B8704B3DF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:01.185{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-27485-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:05.580{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D0EA6C0F5BF0322A31D5BF30B1E2C3,SHA256=58C6A615DA26A806DBFAB208D6E53E3B66BC64F5391345A5A6982AFC647BAF0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:01.587{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61721-false10.0.1.12-8000- 23542300x80000000000000001292123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:06.595{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA42B6C595AA14ACDCFBAF108E77708,SHA256=3B9A053403F96FFD34C1610A9C09B566C0F04589A1F00A5BEC8A1868E025F3B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:05.245{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59009-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:06.000{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84911A06ED39B547847F84B41CF80722,SHA256=C97A8D3A9FEEB5B072F5EA955B8097875ADF9C164C823AF02D5DC563F4572BC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:02.264{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-33465-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:06.095{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49DF3AECD8BE99E7774E170D43AC50C8,SHA256=7DF359582400E7D5B80BB84C6C7FC83626A8224B799B44065D06B4EDC86D6C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:07.611{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB4B9E5E9E8E7AAD45F591DC349E210,SHA256=0A6B731553C0D658E2F1C326E8A57033D90331DDA8C2A8CF8A719103869C4305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:07.017{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9FB1DCAAE9108B483B7C0097014A7FE,SHA256=C0E67172374702B0F4DF7B4F161E39E9769DB22E170547068CA3B3D6F081F5E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:03.357{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-39281-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:07.173{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C33658A140B1B5F0F172B42ED2B8FA35,SHA256=F6A33B580231550F4B10C13438002DAD43DFFD64D78551D6384EA9A76FB30B6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:08.772{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5721MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:08.613{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880CF754FB60000ECFFE5BB43A9DADE5,SHA256=61D8F62D80D96DD8A45153071C5421A6FD5467C6252C24C152A177D0BAE35E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:08.047{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9C7C0696EF2B1068304679EFA5B24F0,SHA256=30CC6DEBB736A4DDA503E89AA9D83C0F8E29EC7E96D813E1D044FC6D809820FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:08.252{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2FC2BC85A82039FBD61385E00727E66,SHA256=0CFEAB253FB9E51F72EA060091032078DBD06757EC9331479782ABAA5A7F4031,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:04.467{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-45276-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:09.779{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5722MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:09.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5E7BEA25B8430D4733D76C509F489F,SHA256=75FE53B5C797EC080D8EF743F91FE24D9BDD3D7C30049B990A2BE99C7267CB74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:09.077{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFDB9A6D0F38A6027AC1A381E3A89D9,SHA256=0E0018FA097263FEB360D0159244041F9D36D3AC38F23CE09B915D59773EA115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:09.340{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A030CA97EC15DCB3531C0829060BB4B,SHA256=695B44B3A2A9DD433D43364CFCE29E9BFF933392BEC3DECEA0C6DDB8C2CB2D04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:05.550{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-51132-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:10.623{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5071A90CED50AA879377A10713BCD2E0,SHA256=B25EC8FBFEC0C952BCC6D771ED005C168D058893988B8B03B1CF84CBE689D560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.875{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BA287A1D1E52D24FFC0C15F2E27623C4,SHA256=5937DEC6A48040C5513E5E998DCB09FF894FC4DD8A66552A72930C6BCDA979BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.828{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE86-6152-8D28-00000000FD01}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.828{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.828{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.828{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.828{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.828{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DE86-6152-8D28-00000000FD01}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.828{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE86-6152-8D28-00000000FD01}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.829{5EBD8912-DE86-6152-8D28-00000000FD01}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001385465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.331{5EBD8912-DE86-6152-8C28-00000000FD01}68123300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.160{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE86-6152-8C28-00000000FD01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.160{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.160{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.160{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.160{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.160{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DE86-6152-8C28-00000000FD01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.160{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE86-6152-8C28-00000000FD01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.161{5EBD8912-DE86-6152-8C28-00000000FD01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:10.094{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216D8846A7CC0F37C25925DEF9DB6070,SHA256=B0A7D5A12AB6C3EE4B7EA716AE71301F9D4227C9845C3661DDD91A915C67C65C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:10.529{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F4CFA7E39BF93D7ABAAFB284C4B73AC,SHA256=5AEE1F4F295388E2316E9D98B1D0EB2920CF01770EE03708C4149CABB4FE0DAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:06.625{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-57003-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:11.642{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB68FE64BB34CD07568955D5FD0B750E,SHA256=DC7DE54C17F453A93ABC9EBE92B73224587D3C0A1D875F1DDA9B0E2CA31F25A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:11.623{69CF5F33-DE87-6152-80A1-00000000FD01}26242540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001385478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:11.861{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1404MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:11.175{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DB6C4E662BD8ACC31A5CAD95A4F430F,SHA256=EC27A00B099A900D9946ADB03B16B1016C6C8D95853D7A64AE41723875854091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:11.175{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E0DEF296DA72D3CBF1E588B89A52EDD,SHA256=F650FB573778CD50D491C40B0E84C5C5C63BA2851A72949ADC41BBA7007FB118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:11.159{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E827F54D8B10F14A2F74E2E504562B25,SHA256=557793F12CEC2542C6FFA4CB4755B93224F0CA2FE099F2D5E670D552CFFD980F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:11.608{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=095B905DEA4EFCCC936C5D0EBB1ECC65,SHA256=B38423AB8C275C5DEC85C62FF57627E053D8EB5AB65681D2745395F7D891AF85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:11.435{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE87-6152-80A1-00000000FD01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:11.435{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:11.435{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:11.435{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:11.435{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:11.435{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:11.435{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:11.435{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:11.435{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:11.435{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:11.435{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DE87-6152-80A1-00000000FD01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:11.435{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE87-6152-80A1-00000000FD01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:11.405{69CF5F33-DE87-6152-80A1-00000000FD01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001292138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:07.426{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61722-false10.0.1.12-8000- 10341000x80000000000000001292185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.732{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE88-6152-82A1-00000000FD01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.732{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.732{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.732{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.732{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.732{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.732{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.732{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.732{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.732{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.732{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DE88-6152-82A1-00000000FD01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.732{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE88-6152-82A1-00000000FD01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.717{69CF5F33-DE88-6152-82A1-00000000FD01}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001292172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.685{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51F7C46018C061E8A5F35A9BF6EA22FE,SHA256=049C2F507ACB8B162C67569065150ABCDAA1C8372995347DC0898B7E29988CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.654{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697A34FD6035E2A6D612D48D1EC18891,SHA256=0DD85FD5D5287FA97E8F50B77084E1DADF11E03F69F4B1FFAF7360F222B65942,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:08.901{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-10236-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:07.803{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-4286-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001292168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.232{69CF5F33-DE88-6152-81A1-00000000FD01}24323440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.045{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE88-6152-81A1-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.045{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.045{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.045{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.045{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.045{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.045{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.045{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.045{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.045{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.045{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DE88-6152-81A1-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.045{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE88-6152-81A1-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.031{69CF5F33-DE88-6152-81A1-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:12.875{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1405MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:12.796{5EBD8912-DE88-6152-8E28-00000000FD01}40365708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:12.643{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE88-6152-8E28-00000000FD01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:12.643{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:12.643{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:12.643{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:12.643{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:12.643{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DE88-6152-8E28-00000000FD01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:12.643{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE88-6152-8E28-00000000FD01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:12.644{5EBD8912-DE88-6152-8E28-00000000FD01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001385480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:11.191{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59010-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:12.193{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7CA246F4133CC9D449CB6715C74D7D2,SHA256=C91A1E7FD23522483AACE0D83A3BDE0A55C8797EFD19389B34505B532457DC15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:13.904{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F98FF390FC85CF688680D8FF7E5A0C,SHA256=B526EB1961456B10AEA587C35E68B37EB90C189B4C563266C3C05F284B824535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:13.658{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DB6C4E662BD8ACC31A5CAD95A4F430F,SHA256=EC27A00B099A900D9946ADB03B16B1016C6C8D95853D7A64AE41723875854091,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:13.259{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE89-6152-8F28-00000000FD01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:13.259{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:13.259{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:13.259{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:13.259{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:13.259{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DE89-6152-8F28-00000000FD01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:13.259{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE89-6152-8F28-00000000FD01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:13.260{5EBD8912-DE89-6152-8F28-00000000FD01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:13.212{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B899B10B64456267C7579F4072A9FC,SHA256=A36E189D3AFE79A422376D05BAA2797D8596F205A0BC3AE0752451E000DC6E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:13.764{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFA77588B7BC9D6D24D5FE1C1E7F836E,SHA256=319AC822F7F2D0C0BD6FC2BCF451D1EB68262F967DB86106A7B1B511885089D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:13.685{69CF5F33-DE89-6152-83A1-00000000FD01}104792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001292199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:09.979{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-16027-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001292198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:13.420{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE89-6152-83A1-00000000FD01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:13.420{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:13.420{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:13.420{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:13.420{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:13.420{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:13.420{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:13.420{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:13.420{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:13.420{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:13.420{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DE89-6152-83A1-00000000FD01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:13.420{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE89-6152-83A1-00000000FD01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:13.405{69CF5F33-DE89-6152-83A1-00000000FD01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001292231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.983{69CF5F33-DE8A-6152-85A1-00000000FD01}3036952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001385501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:14.242{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A783B1C375CEB3E31982E217822E014,SHA256=D0851D4627DD380D60211563A6C6410F2E049568151DC51F75B460C58D617627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.842{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22ADA48F7D36935291329C395965B060,SHA256=5B45380ACEB165CC02231B3F2827B6B760A27A12CC03C5C42FAEDBEFE2888F61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.795{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE8A-6152-85A1-00000000FD01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.795{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DE8A-6152-85A1-00000000FD01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.779{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE8A-6152-85A1-00000000FD01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.780{69CF5F33-DE8A-6152-85A1-00000000FD01}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001292216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:11.058{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-21917-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001292215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.107{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE8A-6152-84A1-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.107{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.107{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.107{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.107{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.107{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.107{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.107{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.107{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.107{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.107{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DE8A-6152-84A1-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.107{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE8A-6152-84A1-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.092{69CF5F33-DE8A-6152-84A1-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:15.273{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023FE113FAD525D09F93702EC26D77BC,SHA256=973F5AC993CC6216A1D039700EA58D877D3AC2DEB599A9D9048F25AFA00C1542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:15.920{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C080F2F1B397DFFD42FAA0EF272AFC8C,SHA256=2BD0C289293E7D417101F35D9C644A6345EA404D3CE02C4262BB38EC38192AEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.428{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61723-false10.0.1.12-8000- 354300x80000000000000001292233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:12.137{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-27740-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:15.076{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9EDBEB155253692CAB96573D0B1861,SHA256=CFE8E74F64294BBD28DF08556C426728DB07A2745C50A3B9E3C0466A82B401B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:16.982{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18EEAB096EBF8B33544F6273ED50904A,SHA256=FE9F875191CA6B185AF78A24239C4E10B648CE9BFA2EA390E0F2338DF68CC7C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:13.214{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-33489-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:16.045{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76E7F9B2F047A2A37283FD25E49271D,SHA256=59F9AE036269E4F7F11F7DB32A1BA4ED9CD3341B4C4DB3B575FF453A04285B76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:16.892{5EBD8912-DE8C-6152-9028-00000000FD01}68485632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:16.808{5EBD8912-8CBD-6151-0B00-00000000FD01}640584C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001385511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:16.708{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE8C-6152-9028-00000000FD01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:16.708{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:16.708{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:16.708{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:16.708{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:16.708{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DE8C-6152-9028-00000000FD01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:16.708{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE8C-6152-9028-00000000FD01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:16.709{5EBD8912-DE8C-6152-9028-00000000FD01}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:16.309{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC347EC8D761F962F73337FDA70A08F,SHA256=80F3A3AD116175ACD143CD9E6C0CCFDC2216D5E8AE92B08DC7BA8975FD7D610E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.708{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59014-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001385530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.708{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59014-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001385529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.707{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59013-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49672- 354300x80000000000000001385528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.707{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59013-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49672- 354300x80000000000000001385527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.706{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59012-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001385526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.706{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59012-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001385525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.754{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FDE6793940560ECA507FE4A65D0C397,SHA256=AEC8B632B60D2E66A51118AD412A18FACFF391ECA6A4365BB71E2D96015EC591,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.507{5EBD8912-DE8D-6152-9128-00000000FD01}58885796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001385523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.167{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59011-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001385522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.355{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE8D-6152-9128-00000000FD01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.355{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.355{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.355{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.355{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.355{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DE8D-6152-9128-00000000FD01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.355{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE8D-6152-9128-00000000FD01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.356{5EBD8912-DE8D-6152-9128-00000000FD01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.323{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CE2EABE6B968A9F5C6407012EA1AE8,SHA256=85D89948E63EB3B182084A7EF1BF57ACBEEEECB2A7568F1A510616E0B61BC5DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:17.045{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA47564F52F235548585AB94D0A968DD,SHA256=9412F41E2D198821A7946B8D0BABF08456B502ED29F48C966D198BEC0761ACF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:15.370{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-44797-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:14.292{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-39291-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:18.081{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4392A4CBC20E85F1E9BACAC47C882140,SHA256=0C5F64EDA7349C6D530057E9901B59345097060F2510C7837782A2EFCDC6F18D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:18.050{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65995FF33836987E6D9218EF7CAFD46F,SHA256=DD52919232C34C8F05BB5074DA8A41AA82FFB90939FC7924F0D02CFD6B9B03D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:18.338{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EACB2424F399DD4EEE691147EC7E855,SHA256=6F1BA87CE50B9B13D7B46B7E14A9F6B13DC2B1E1D8F5259858C49C29BC962119,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.810{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59016-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001385534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.810{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59016-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001385533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.725{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local59015-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001385532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:17.725{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59015-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001292246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:16.452{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-50797-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:19.393{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=055DF0BDBBE896E96D072A60ED418CA6,SHA256=1A7A85B79AB37E8F215AD3D5CAEAB6300B3143615C084572ABE6E3678004B0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:19.284{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE824E38033AED980DE40DBE0A5A6A6,SHA256=D19E4A9C01CE85CCF9CF46C25E4FB5C568F71D6ED277AB72246ED67952432660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:19.354{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E595EA0F498ED9ADA7100E4AD25897,SHA256=C972C11FBD63FB8F3F3EFE6571B76BD7266EBED7FD801077B6498A99A9A2CDE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:17.779{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-57461-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:17.448{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61724-false10.0.1.12-8000- 23542300x80000000000000001292248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:20.518{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43D35C007E0E48A5B1906A60BDD35DB3,SHA256=C35D6DB8BB07F45ADC6F91EDF5C8B6612307E3BC69C8ADC3BDC3324E6450D2EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:20.503{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87B231503B6123862B0EC9E48680749,SHA256=FA35123D2B364F3D495C08D09FEC4F64C730DEE5AD52C19C0CEDCB0CDC2B927B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:20.752{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05237621639D0EC2755AF0E086F01BE6,SHA256=3EC47194A78A98ACE033A009B0668C8AA7391CFAABB8D79C059FAE10CF17E756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:20.368{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48546DD658C06861A0EDE0D805A3BB1B,SHA256=129E49FAC0D53170875FE1E55E83E93DB6241E93AE255F43CCB1E64382BFECF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:20.037{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DE90-6152-9228-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:20.037{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:20.037{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:20.037{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:20.037{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:20.037{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DE90-6152-9228-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:20.037{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DE90-6152-9228-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:20.038{5EBD8912-DE90-6152-9228-00000000FD01}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001292252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:21.722{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A65B5CC26386C4EF963FA3F600C26B79,SHA256=7527F96CA8913463D8FCD8DE8EE9A8DA76621EBB1CD2DEA8582199F7E92E6461,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:20.436{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com43364-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:21.386{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE310BF7B272C87FF0BF6C4F0412031,SHA256=DB45B8CFF1ADDFA0C466FA99479A24A0D5D6007E7EA6BBCEBB5BA758A682C23A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:21.597{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60D4B630389F0365096048EBC45519D1,SHA256=597ACE808A930A169327444D0A95A834841616EF046B24DF4E195FDE1B7688D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:18.891{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-4816-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:22.722{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA42B84052BF7933991CBC235982631B,SHA256=CE65FA39BE94AB5CEBA0AF5A6556001E56BA22BE8C0BAEB1BE20F9ACD0561C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:22.420{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB19E18780618D7E6842BD4343ECDC3,SHA256=F940CBEEC649D35725FD2C06F7DC7C20334509AA24C38A6AB93B51EB7E2D888F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:22.675{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=040EFEE38D6DA4B2E4AA5A7AEA936D4D,SHA256=E952321796395007E0B01EE9AB48DA67EDBA0B56E9CC21350BF4F8E1BE23BD48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:22.503{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DE92-6152-86A1-00000000FD01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:22.503{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:22.503{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DE92-6152-86A1-00000000FD01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:22.503{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DE92-6152-86A1-00000000FD01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:22.488{69CF5F33-DE92-6152-86A1-00000000FD01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001292271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:19.968{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-10468-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:23.753{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C40D6D3E21796B97346DD408FA9D0D6,SHA256=8EEF824918BD0D1D1965D16002D637982F65A9656D27636A455FEEB7876CA072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:23.737{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7772D1E4F815785A88062097723109D3,SHA256=6D5382E38C4D4A222C09E5B2B0B107E2B5319D23160428929115AA50DB45FEA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:23.116{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59017-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:23.435{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD76C7B4995FBD7F98740EF4CA93D941,SHA256=73802136600E66BFF4F02A2BB447AD95896C8E63CDE67CBEF5D5D36D55822C01,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:21.047{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-16086-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:24.847{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF177CD0583BB3813AEAD20538BC70BA,SHA256=F40C07CD944FDADBBD607E12AA8108E3A076A746F9485BCDAD60AB482BFA3E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:24.737{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC67FA67AA662605EC6D3EABFC84456,SHA256=EC3E93058456612E4E97840103B3C6849DD4ED4ACB715A3CCCFC054A2E5CD357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:24.465{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=677D20086F5FAF0DA3EA5079143471D3,SHA256=F16CF4CE6ADBA26638D0C7784DB55EAF4EF07814A107A8D4CD6B6500EDFD175C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:22.132{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-21856-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:25.737{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA065D8F500DE850BA4EACAC03E6676,SHA256=CF5C2C464BD5EBFC8DA739FB4C0AD75F5044EC0FC4B0D5A7ECC1D439C03F6EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:25.483{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8025A7611760F5A64575916F364A9B,SHA256=CED959AA6B0159DEDA32A31A5009C481FBE1A4063B0083E584F229DBD64BD00F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:23.528{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-29292-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:23.492{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-29084-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:23.455{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-28954-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:23.433{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-28732-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:23.394{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-28569-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:23.367{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-28403-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:23.345{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-28291-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:23.324{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-28152-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:23.301{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-28044-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:23.279{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-27902-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:23.256{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-27711-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:23.218{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-27581-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:22.558{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61725-false10.0.1.12-8000- 23542300x80000000000000001292278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:26.753{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65A17C6CFE923C0D9B257F67EF123E4,SHA256=A56217596114032DCFB3D139AE4F933B8C66670BCD1A8EAED6EEEF88A09ED97B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:26.490{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF34A52A2E9A7F8EB3208C321FDE6E15,SHA256=8429238DE0863E0C056D600C82AAA7295D0638E061965927649E982352F8BA9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:26.315{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD279FAA80C73081E96A41CE67BDDBB0,SHA256=DCF66FA3B95A8C4C5FA8C2117167C484DF9909D398959F32A56CA054DDAE6E3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:24.724{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-35646-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:24.688{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-35521-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:23.564{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-29460-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:27.909{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52298966147E1178C368CDF3ED12190,SHA256=CF3C486710D82EB8EB61A5AEE21D2E3F77CBE589236EAAD6527EEB781B1B4BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:27.510{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0EC36A214B297E59B8B16253F88F78,SHA256=DC6E87778EEEF7ABE89DBB089E8A2CD6D0856DBBEDE53E2A4054ABF94941A00A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:27.472{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6F2EDDA867C90B05775AAA721F39CDE,SHA256=B72ABC173E40A92511E3C183CEF86C48BE2515E53466364DCA84CAF82611E87D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:28.925{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9301C6389100B87DA2099D0C763DB05,SHA256=8A3BBA9EC0D2A3E92B37D616D87B1FC5C65A119E72135028093E08B64079A529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:28.591{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CC33795CC1A05376F7042813DC11864,SHA256=0A054639EA58A4561D1912E5F914136C9E59C6C08DC21BEF71DC490020F14120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:28.590{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24CF270E20788F5EDF6054FE76275467,SHA256=4A0941F61C4795D9D75DECA2795C1F19CE4392DB6B087D59F9288B77B6B2F321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:28.541{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011456AB76F3159902F4D4E2890C167C,SHA256=426DDAF05730A140578179802524A9AF0D2C6E88F8279CA0A96F369968B0204D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:28.565{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63224BFA15090B5B33C9401349C557C2,SHA256=28A4E73F81644D53B268FDAC6664CE0BC38BAB7B88A7A95032AB37F0E741A1A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:29.087{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59018-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:29.571{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145C5EE8B87FC7BD964DF84EEC51FCBA,SHA256=05C411123CCB6B9D5A7D52E9CC38E8BA43DA55E6BB78DE69528E2347F87A026F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:29.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A61E857CD0429252411A38919BF2D73,SHA256=4DAB053480CCBFAFCA848BDE014541CF5CAB4AF0A4103A731BA84DCB1C695739,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:25.859{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-41683-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:24.759{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-35846-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:30.589{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BABE47E9C06CB8F91C0AD3EE3994A186,SHA256=812AAC01FFBD0437C166E805FB70CF33922FBD2BCAB04898CA3D5BCD744985BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:30.159{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48630F156050A6C5686457DC155880A,SHA256=237A96CD978FF28541D49468CCBDDE573B797BAC1B326437AA8C8BCE2B283799,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:26.975{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-47739-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:26.938{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-47610-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:31.607{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77074F5E0D23B07029A7DB08B588D51C,SHA256=63AD92F38E792745BA24D92A322143A70E578E504C9D0B8C450CD04B29D948CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:31.159{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB563FDBEF1548DABC111E6C3F1A92E,SHA256=5D5DA14570B09C8110641CD428D1125552508C4B5E34B3504A9DDAE01E0A0229,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:28.259{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-54751-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:28.236{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-54639-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:28.213{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-54434-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:28.174{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-54312-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:28.151{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-54193-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:28.129{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-54005-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:28.093{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-53781-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:31.003{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D0BA1D7ABF65B25DC0A12AE786636A0,SHA256=819699B64250CC1D75F2267102821D056C8291A503BE2174E218920280AA6E75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:32.448{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.24.1.102-62023-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:32.637{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD147979BBFE0BD759E90F13218CEA3,SHA256=993ED25A6B12998A1E2D49ADF9334AEBBA0178D17EE1BA4B54C9954977A098D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:32.378{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8308C7D79293AF39DF4C211E458887B,SHA256=B5988C181FB12299A51DDC1A8DF3CCBC173ABD2A29EBF8090348B59A8683C3BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:32.128{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E5CC679795215451F46DFCBD77355BF,SHA256=983F07610CDAD126BB2136A028B4AA9F47C82EC96A0C2546C1B27C67457BED35,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:28.480{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61726-false10.0.1.12-8000- 354300x80000000000000001292314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:28.282{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-54881-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:33.667{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA19B45AC7A95E70D1E4BFEB5AA5626D,SHA256=C9D2FF537BB8AADEC494A60F44A85706E3CAF52C61FF77A25E371A1426617DF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:33.425{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF709BFD147BB6240F58259AFCBA927,SHA256=0FD87CE9208173A62AFC71DDA2A42553285BDCA5CA5DD7BAD46F78871AD9FBC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:33.253{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0F3433CEA95E7A84BA3DCF59C91D583,SHA256=35C67C8C23350E4F99208BFC3EC536B607F18B2642E3049D6503AC3E0734C6A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:29.389{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-1821-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:34.685{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A0B596700D687496D9BFDD7948351C5,SHA256=BEEAD88ABF83AFA10F208DF9F382F661F57F5BAB50BA6340F98D3FEA21355542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:34.440{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF90A398F516F4D5B1BBEC4FCE34C35,SHA256=79F78A11E2E7000F13FE035102EE5CF884CD2A1EE52111251A3A0209B9E8292A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:34.425{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CAF71B003A0308A0270BE75E4EFA4DD,SHA256=49CCEAD7B076446309DBAF4B61295636BE4C6890EA274CE774221521D1F6B9F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:30.512{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-7920-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:35.704{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A03193DE34142525C181F6C2E81B8E1,SHA256=19CE527BD7DD91E23C3A6B6D7DEF3B2BC6B128D6B4F675CDAE6262106D4E997D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:35.565{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A41370C88E04F9AE9E903762AFA7DC,SHA256=C0CB95C8D012A4D4D23A0B9B76D1A9AD98B19039B8224FB6DA6011B7389C928F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:35.550{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=738F52DDA27EBAF4E19031F9A80F41AA,SHA256=C73B0E61F1950FE6B30435EE4388123508AB969E3F09E09626745923A0A0B54A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:31.688{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-14200-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:31.649{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-14052-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:31.625{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-13932-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:36.675{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADF686E3C3BA74B4613F1590B98834F8,SHA256=A22BB1BF60B1E4BC37C0C7C244347A99DB34F4CA71249E7DB742A19CE2BE88F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:36.643{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=537E4487EC7173FDC17B21208EFF15CF,SHA256=5C02818BFCF4AF828EE84A7782B009AE14193451B90679F9B76F52D0E1E91AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:36.719{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD305154D691449DEAE39137489B368,SHA256=32CEB88148044BDE8C0F94B68C6C70767241D65937F91BEC4222AE0CE6B30929,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:35.117{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59019-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001292332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:32.841{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-20683-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:32.819{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-20583-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:32.797{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-20471-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:31.710{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-14437-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:37.831{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8F9E6F29B338E6FE3CB2EA65A76B0C,SHA256=C6D293ABB13A02E20FDDD68E839AC49C91E4CBC1363EF073A06D7B004B2983E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:37.933{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9988AF69A39FE2811FC0BAB12D61A63,SHA256=75D4825A3F4F314609EA6C2D96992230EE4EE9D8BF84C7BE0D01262E9B7F88B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:37.933{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CC33795CC1A05376F7042813DC11864,SHA256=0A054639EA58A4561D1912E5F914136C9E59C6C08DC21BEF71DC490020F14120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:37.765{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368291EC7C5F0B168477FAF635D048D8,SHA256=6AEAA969CC3CF2566E6CBCB272CA90640E863C267DA752AEB568096370BA9363,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:33.948{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-26600-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:33.922{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-26526-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:38.817{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D6A59B764ECA87BFC04566512B9C5C,SHA256=D071CD5389BE4AA319D0BDE9CC9E2FF93EFFCAEDCAD6BE37ACFB0D9EB02432BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:38.833{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE84FC6A5A30317676700A3F9D8FB18,SHA256=C37227957FCA3AD5E738067277702AB9D1186C41AAF7CC0CF2B787F76B866A13,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:35.240{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-33646-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:35.217{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-33530-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:35.194{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-33417-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:35.171{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-33218-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:35.135{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-33093-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:35.113{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-32915-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:35.077{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-32748-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:34.433{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61727-false10.0.1.12-8000- 23542300x80000000000000001385575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:39.832{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D69EBAD0E42AE59E1C0CDA90F4F6C5,SHA256=0DB4BA7F58C7A80E9E78CA858E76DF571409B579E7770000770B34181C387A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:39.849{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08989A645FD2C2A1F4FBD8BDAABBE031,SHA256=A1ACBD7C4609DCD168E74DCDE397880D70F7F7928CCD68513213BFE092844548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:40.862{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8017E18E38E491E3C5EC3747067F4B,SHA256=234E755E50AF249E6E4614EAF69E5E4D2C5F5283CFB09E7C4721C760BB889B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:40.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11290BB08DB04D723CE12D181262DA0,SHA256=1EF39C8053EFACB845E06FA194BE66D629088F3816D1B8AB945C89EE0363CD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:41.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA041854E5A11C315AEEF59243FBE9E,SHA256=A5A3F765C14C656829FDAEB82CA54CC140CDF7BE99924AC4C5DB6766E0874435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:41.879{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E2F69375545310EED2155C964F109F9,SHA256=0FC6713FE34FDF6E79EDE6E8006D735133AE2DD5E71D29F20AD1F1531A9CF547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:42.930{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477920657220172020A6C4C61A707279,SHA256=2CEFA5E3D9F97F7C33AE52AD536B350B86D1DF57743671CAA5D6BC76CD607219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:42.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31AA58DFEDFE799CAAD994CBB5CB2361,SHA256=9F7514E134B70DB13CCED1A954B66A76013C1F424A99F9C79DF899FD817AC57A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:39.607{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61728-false10.0.1.12-8000- 354300x80000000000000001385578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:41.028{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59020-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:43.960{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCAF949A189FF1A3A39602D50B5FBF5B,SHA256=7E034EBEBFC9A53EEB72A00E2E25AB93F000C40244CDA0F2B01FB2FE8690F97C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:43.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D451D25AF345600100E6AB86DBA5375C,SHA256=2796153756F96A8C232D597F7107455007493DD6D7A3A723375540AD4F487D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:43.114{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDE4AC9B5364A356B19A1394817D88EB,SHA256=5BA5FC4BE44D7FB3952D0CC0D7F6E7935D479027A3066EE0DC6DF6E73A0258D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:43.114{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9988AF69A39FE2811FC0BAB12D61A63,SHA256=75D4825A3F4F314609EA6C2D96992230EE4EE9D8BF84C7BE0D01262E9B7F88B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:44.895{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C03987C20D763B09AB5C4FA01E602B5,SHA256=BE677F5BE1DEBB3E3B87E7F5ADDEB859284D1A0F587C55EFFDAF74A32E8F0CA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:43.096{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59021-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001385584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:43.096{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59021-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001385583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:43.065{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com64846-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001292353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:44.349{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=866A58FC9C296918FABE22EE336D7655,SHA256=925AE3193C70C9EC8402A8E9865072C97A871B8DAE0B0C3AAA3913AAF5B9B231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:45.911{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54470C50ABE8494898A4AED1DC7E30EF,SHA256=0927B157179B63BC0053DFF1A2193B71178FF7202CDABDCDCC631BA23CC067CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:45.496{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDE4AC9B5364A356B19A1394817D88EB,SHA256=5BA5FC4BE44D7FB3952D0CC0D7F6E7935D479027A3066EE0DC6DF6E73A0258D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:44.996{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23019FD5E7731D28CB26A6333B50B0BE,SHA256=610489779A43FAEB6F988AA1A4F45FF5DC3EF97F2A592C1FE860FFA3D22995A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:46.927{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B905862CBFD62632F977F1F17F1B8C4,SHA256=F32374C76AE6F394BDEC475398EA51D6389EFF3174BFD63556897562757C4B90,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:45.457{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59022-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001385594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:45.457{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59022-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 10341000x80000000000000001385593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:46.042{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:46.042{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:46.042{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:46.042{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:46.042{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001385588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:46.011{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B89C2C5213CE83F5E91B0BB10B60CFD,SHA256=CE4692E74780CD76166A9EDBEF48D6CC66D2564A501A33DFAC5DF8D0AD9331F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:47.958{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A79175BF27A372EC7035E30DFEF356EB,SHA256=0DBFCA6C6FC0EEE062E2991B29AA670214A4FBEE205C85F7B63C6FE9FC44E799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:47.958{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=108B2E929040A293F64276681517E5BA,SHA256=D3BF7857F03A4CCBC79852353833ACE4C8D8527FF2C22FA0CC8F0E854A4C0437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:47.942{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FB3EFC3021B8396D47E4C18458444A,SHA256=3E1FCD458ED4F3017E08752FBF9E0AE5A98D5B0F386934A5206EADD79CDBDF79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:45.229{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-17598-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:47.758{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:46.171{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59023-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:47.058{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83E3B6802539EF312AE76878EBF61505,SHA256=EFB01693667E8BB458BD765CC683BECAF49C36A31ECFBCE9AD4D4719FE1DDBD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:47.027{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99FF3935232219F3171C80D35F79C0D,SHA256=D4A5B7B8AA435574A6A8FFFA8CF137F1D9A7B1258EC6D31EAD0145CF72892095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:47.239{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:45.254{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-17774-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:48.958{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD61FC2986B8D27C8DE43C990CF2EAED,SHA256=A9A3732C9BC9E7D6DF6AB73E4688A437731BD846C9BE662397A2C50E1901888D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:48.041{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D73B9AF6939C1D73452F82A84B0BFE,SHA256=8AEB1D3158B7EAD78606B2449528CA2AA621E5AA32569C1D7573767572A355B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:49.958{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFDB8F0AA9249BA6128D088D43A27F1,SHA256=A4C6FA7E08E5F62D0BB92CFB28EF1140A3C49F74C70D7AA650EFDDEFD46B437D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:48.738{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59024-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001385601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:49.056{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF402B93BFB579C0A46AF94968DD1343,SHA256=FEE9F435A5C19CDA59B237AED330C358344D6BE15B83BFBDE34336B9DC9F5366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:49.052{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A79175BF27A372EC7035E30DFEF356EB,SHA256=0DBFCA6C6FC0EEE062E2991B29AA670214A4FBEE205C85F7B63C6FE9FC44E799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:50.958{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B888D864E667638EF4E81F53D561299,SHA256=04B26A0A05A7AF9819C54CFB44D9FCDADBD17D12C270980512B4A6D41CB875B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:50.130{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D1459B2024A0FE90D5F63428CEACAF3,SHA256=8A390A1822E3EAB69C7AAD451C3EC451F8197DE8B3D0D00C5CE7008B995D2380,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:46.346{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-24191-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:45.591{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61730-false10.0.1.12-8089- 354300x80000000000000001292366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:45.435{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61729-false10.0.1.12-8000- 23542300x80000000000000001385603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:50.108{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D0F7D1F10843AAB71096CDAD327E2B,SHA256=5958A85470A395FA902855603A0D969791AF87BD32A5D8D39A02CF5C4AFE8446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:51.974{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111DF3B644E40041F3E98B67972444AA,SHA256=C1CA05DED6B3BBE9AF8D3471F21FEC17060C496068031E6ABA30F101EE4E800B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:51.123{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=459A70E71464225CC3B1C1E4654234E2,SHA256=5B96B2FA3BF0A70672B4C7AEF8F785F5C9CAB4B84F8BA6C5467A0457870A5F63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:47.425{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-30506-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:51.208{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49D13222AAC291BCA1A56F92D7E30244,SHA256=59140204D9A7994D80CC0297BB5D1419DCC505504563B81039C25550D137883E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:52.974{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0F0CEC096679FFB111979143877AF3,SHA256=F16965C2FB68DCDE176B93DB38F7998AD6D3FCEA8411493130148031640D46EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:52.153{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103C686F6FBCD485EACB52701482C3D9,SHA256=544421E920092EBC70FF9936960EA946C8DF8AB8EE5375CB966DB86E5DED78CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:52.286{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B0958D8C65CBD328B4342B0D05C991D,SHA256=9239556858C88CF836FA1163B86A867FC8FC2E526ED8211755D215CD92C81B15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:48.501{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-36447-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:53.974{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF765F7BB15D01E12E161DEE107849E5,SHA256=6A5665255D0C80DCE8F0D70773990506BF2FD737A1E5254530C3E967B41349AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:52.150{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59025-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:53.170{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3A657A85A2DFB7006E425273C3759B,SHA256=F50600D5566158B9EB28CE7352C159E95BFF1AA35552F4EBD70CDDF51FD939F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:53.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A52B5248578ABE40250854B0EAACB0B,SHA256=7DDBC1C6B498DA95713D996ECB069D432E244233E166633ABF1A15CAD1D22A9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:49.580{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-43014-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:54.989{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523D208CF46FF31CF91B76CCBF83AD8F,SHA256=2C685064A74D3472E06C7A4995A120867DD34C87D266795EBA51B5C883D0A40F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:54.188{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215EEE171C473B21BEAC07679D066754,SHA256=EFB6DA26CBFE78E4B70A84E50324BEBFFAEB74811EBA79F560E1229E2BDFD52B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:54.489{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2BEA803A86297439670EFD03187272B,SHA256=B8C13B517C178EF30004897E5AFF7B6B975702743A0BE5DA1BA41E715532B3C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:50.659{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-48983-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:50.481{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61731-false10.0.1.12-8000- 23542300x80000000000000001385609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:55.218{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04F0F97E1068DB07B6C5A7D08F82511,SHA256=956DEBCB7992B40B54A8D01985FB424A0474E9E2FAC15A9EA3A560E9BFD3C48A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:55.567{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1245754E5529BF6D73BB098164905F35,SHA256=7258EB8218DDF72950A9E166F8A11293F059C57DE9B498A39E0CD3985C59C2C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:51.783{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-55728-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:56.301{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7506D75219B9BB05C1F03B9ACAEBD2DA,SHA256=39C1D6EF53813EF61149B1993F34BBD2C452C61C7831BA1377CFB0B3F3FAC746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:56.661{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35B8DC7439EA9A5891A7CEE368A0EBAB,SHA256=249D967C12EC3A129B0FA20E36D550E97ACD3FF003CAB84CBB1C84A0B09B4EF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:52.864{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-3094-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:56.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2D50500C39E0413D45E2B7EA206999,SHA256=001E00F36B95E2E14C8875604C3939BEF10A9CEF3B297788E7928D59F9D89F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:57.316{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B1E2F073AFFFE7977B5A5EE49F15FE,SHA256=A57A5A29818FD586F38A10AD852B95996CCE61EDD67365BCB08DE02CC684F27E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:57.786{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2CE366501919AD29EA4D7366FE439A2,SHA256=EEDE45590201E54DBC7F1A27F71AB559FB68146E9A665552A93781C2865BF7F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:53.947{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-9226-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:57.020{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBF61D08D7573D58668C4E2F454EE7A,SHA256=A8E6F4D0D143713F61D68D785A65971D0F4A3AC595E9AFADD71896D7C8350DA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:58.081{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59026-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:58.347{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73899BD6877714B0B5E50AE9E82FDA73,SHA256=3442965739473C676EB004726DE12492D0A83589D062D53B62D5E86703A353DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:55.048{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-15446-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:58.025{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259D27B1D14F86636C46CEA53AEC194C,SHA256=68C1F58BF04E0E77DAA8FB68478DD4A767615C4EBB7758FE0BB022A813896E03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:21:59.347{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5796CD8847E2123EE3B43F96D742F2,SHA256=E500234EE7E07B10863E53C587681C9B88AC33B7C556B0E83C606199D906B6DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:56.158{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-22120-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:59.025{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F8F8E3B204A3AF82C8400E9BAB55993,SHA256=7702D84A47EE7478630D1BC86E7534580B1EC0569C8D827FB45D03EE56D1F4E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:59.025{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB6A6E083948880E843A500C66B2C2D,SHA256=54D427392AB70639CE8F055B44B9F88F7A3EE5152F4828D62DA69C2B79645ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:00.646{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=992ED41ACDE5B3389E5075377509F52C,SHA256=19E16B0C85F314E11F38A92CBD786697A773360DFA934199C4717C2948C927FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:00.646{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DF786D04CEC42A6600AAA12CD4A4D54,SHA256=C89555B395242E84325AFA2BD4DE004A7BC693CF0149BB573248733DAF51BD1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:00.399{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F313564E656E96D47BA1B570CA08A0,SHA256=64928C9F0061CE875E289FD23536B2D0F9940E4481814173B680A356461A45B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:57.411{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-28988-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:56.486{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61732-false10.0.1.12-8000- 23542300x80000000000000001292398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:00.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F40E5468D0D879B2DDCAB6133B1818E,SHA256=A1D120D0591818220BAD080DCC0B6298C70F46529857B41828802B1CC96098D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:00.041{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF21AE061F8DCF4BB45B8E7F5B60D10,SHA256=E3E6F9E09DFA0EAE45316A03FC040EE5EEC4AB018644AB38A8986E9E4DD0120D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:01.864{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=992ED41ACDE5B3389E5075377509F52C,SHA256=19E16B0C85F314E11F38A92CBD786697A773360DFA934199C4717C2948C927FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:01.414{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE3649AD4F89C4E960D775DEA8784E0,SHA256=87059EEDE8CC600304AA77E9638D86455956C435E106D47C36AD5E06FE242D1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:58.529{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-35478-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:01.244{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C861B67B0302A95E918AABCB17D3484,SHA256=89739E71224AB72A653909A3664548C640B7BB046FBFDBAA39467EDFE9480295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:01.056{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C48368C3903B927271BE30BE39B14F0,SHA256=61C29932E72F4EC147DFF73AAE7FFEF9D6348E9C1685ADAB8F6A075E9A40EDC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:00.547{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-58781-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:00.499{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-58648-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:02.984{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C26B0E738B7934F94E5871FA180C93D,SHA256=D64EAA227689FEDC4D7F3BAD32C9672A675AE34FEF8A77478F4201B7FBA3D536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:02.464{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6748E7B40214AE4E99BAB1FF7D124CF0,SHA256=2E2CD5351CC1EFAB1A9634A2D1BEF77C358BDD181028202AC52F1A6579262CAB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001292415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:22:02.478{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001292414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:22:02.478{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x14fde4fa) 13241300x80000000000000001292413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:22:02.478{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b441-0xe99aa782) 13241300x80000000000000001292412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:22:02.478{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b44a-0x4b5f0f82) 13241300x80000000000000001292411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:22:02.478{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b452-0xad237782) 13241300x80000000000000001292410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:22:02.478{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001292409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:22:02.478{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x14fde4fa) 13241300x80000000000000001292408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:22:02.478{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b441-0xe99aa782) 13241300x80000000000000001292407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:22:02.478{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b44a-0x4b5f0f82) 13241300x80000000000000001292406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:22:02.478{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b452-0xad237782) 23542300x80000000000000001292405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:02.384{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE7F9706F5662ECBF5F67670C2DF2F5C,SHA256=45B33A16D19B6FCF6FBAC824D31EEB26E3097E6487E10C6306E7A8FC5B0F54ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:02.072{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2985A4B3D96E75D141F9E2F8DC2E38E4,SHA256=8A6AF0CB8C6884DE32E1065E4CFAAD9C895EEC68D381FF9D56C5408350675205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:03.514{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5CCF9B4CCCF9FE5D5C7CDEBE31C34C9,SHA256=9B5AB6F176A72282238101600DDB4FC012DE0C5E56F614A76AAAA61C0F4A46B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:21:59.669{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-41934-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:03.463{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=824A5E8C259AFDEDA1078B1FE39FCD67,SHA256=18EE163D9F8773AD83CCBC2FAE5F4DB51C6398389CC98A9C51DE40BE1F9BDF3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:03.072{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933C8337DE194336004DC158637F4B7A,SHA256=3C9B5E4A82031586343EF6A4A171FC7035F510808C48E5834B04C0E1DCE03E35,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:02.879{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-16108-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:01.714{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-8031-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:04.544{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB3C830CC624C4FA4BD6A98D3CD3FC0,SHA256=82A02E1EAD7C71B6002559D2D655A7FDECB1DC27D7203694F62E543D4C5D49D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:00.756{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-48455-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:04.572{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73251EF27E1423CA3FF19326C437867B,SHA256=C964B64F0E5CE0ED032FB619A6B62B01C5816001143561C4ED0932515EDD1BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:04.088{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D054F97F27BC241470FE2043EA274E,SHA256=07AED61240237F308BC63B65BCECEEA458B0098AC99781B476310CCFD093FADC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:04.058{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59027-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001385628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:04.031{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-24171-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:04.129{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0E1430A8BA6363BBEFB1B8D0DE3F9F2,SHA256=5F316DF63985191FC1378AA92B000235ACE0E300C0F1ACAAAE85243B7D34E541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:05.581{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49008A607B00C52D9202B11157FACD38,SHA256=9FD325292C11AA8F127747EC5B3E822D6C888D871C24195556B6379822D96A46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:01.847{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-54781-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:01.564{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61733-false10.0.1.12-8000- 23542300x80000000000000001292423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:05.650{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0F49B21F4802E2AD9B7330F0E146418,SHA256=9716747C3908A8E12C061972613FAA0CECA9D3619994A635CBE500C35545691B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:05.103{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D04B71C60E1F7DB9B43E0B26317C54,SHA256=DB798A8C5F7A62660338650D8B0C0CA4BC54280867237B0B5BE5AD109CCF6684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:05.363{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C8BFC07D0AEFE12D470EA971D6F5476,SHA256=C8E6C6EB24063CE7E6C0CBF87E4BAF2CB5C798397F07C33D732C44D5A4D0E99D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:06.596{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB17D7C9A38BE10202DB26411CA0EF12,SHA256=BC0E2363DC5AD36B56039A8CFC810123CEA6EBA45C5D3E46BA2335FDDC65E86F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:06.775{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A7791B29C82BA7EFA73BC85DC6A2BA4,SHA256=24D5124B3D36A745BB8EEC3EB58249DF5FE6945ACAEC706F2B30F5A71B7E1F9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:02.944{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-2106mzapfalse10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:06.228{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16827AC66C54E58A4302B315907FF4BF,SHA256=1D62749E7F94ADA0D16F5F6F128991BE07BB80E2D0EA6C18D18AADD493542314,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:05.147{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-32404-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:06.480{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53809A55FE9BF59742F171A8CC54CB00,SHA256=2A1CDA31311AA71D7FCE0B95F7C85083BA3A03606E2D1ADE44B8F33ABB2B0531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:07.610{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CCF01422A833EE4CB62EAECED4C76CF,SHA256=4E332AFF0E48114A79511F0DA8ECE40B79F8FD83FE76D64DD617B1A778498014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:07.610{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC7ACC6BFB4D1404F511A45355E67FE,SHA256=71B4D70115A5579DAFCD5B555C80C9E6EB228FE0453992B1C5F0F5C709412999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:07.853{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18A39FEE82A20A5083CD1BF75FA19583,SHA256=F027CFE588A162B89E5930B5935D15F41BFF4632BFC8DF09E1BD2D94F4BF55BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:07.228{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F17039C39252B8B090A2344F8F68817,SHA256=8B4FD527CE9C240567ECC02ABAAECD00E0D095A8E34B9C569339F3E26DB57835,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:06.379{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-40440-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:08.694{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA13D961D451D5AE0F0206B6E2DE5E8B,SHA256=3B322D74AB5468AC84C0B4C0D75998A0E5CE6F1DE333B1BD59ADDDCB4254C1D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:08.625{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80630D381937358410297B8D02038C47,SHA256=297E69DEA25941FD084FE68A97033C42C8F6423F921F0663C6612DA93A085E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:08.931{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=526E1F2BF39D09A8BE03DC394BD87911,SHA256=B94715173B4DF230F8082EED0C10AFDE8CC98FF954B723B4D2A86897D005B68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:08.385{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B9AB7E6C2517AE863B6DB9E86057BF,SHA256=38DAFFD2B53ED23E635642A4280A78D82B814E8390EC0A428EF3EE0104CADD82,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:04.037{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-8269-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:09.777{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5724327EC0C39FC85224AC246AD2C246,SHA256=C7227782FF60016A730F04F6848230374C20FD022D73F24BA3A0E5A8525C148B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:09.658{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9430EE95AD5C031373AECAAD72C3861,SHA256=66B4489DE132905A9A7EAAD7C6AC8D9835F130C0F9B2F6B36FA86ECCAD474F68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:09.463{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30BEC7009C79FEADD424A266EF2F8C09,SHA256=5380A206549A97322D9778CB3BB9842253AD09C72C8C1197ECA28620ECCA40D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:07.497{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-48125-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001292434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:05.147{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-14451-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.907{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=433C7C6BFDAB2BA14098AFEEBD4E98A0,SHA256=2EA6C21C20F406D09138A48032BACC04A30811D5DB777518903B62937AEACFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.876{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=644366ED6EB1819E18C1AD65665FD254,SHA256=E081377E109C944CF063E6E776B766D47791E0AAF8BB32AF83624B31B42A47E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.860{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DEC2-6152-9528-00000000FD01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.860{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DEC2-6152-9528-00000000FD01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.860{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.860{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.860{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.860{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.860{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DEC2-6152-9528-00000000FD01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.855{5EBD8912-DEC2-6152-9528-00000000FD01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.692{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92BC70DCDD32ACDBC2D9CBB65A7F1863,SHA256=47C87CF3A68A8E61FD1F10FAE78C192766A0ADBA51043CA6BA2CC01B3731275C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:10.558{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397C5AF84F63470151D0823545B9A856,SHA256=95E45C7E35091E6DAAC02602BAF917161C10EFA0E2809AB06EC304084700B923,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.090{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59028-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001385654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:09.712{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-4709-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:08.628{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-55872-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001385652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.339{5EBD8912-DEC2-6152-9428-00000000FD01}53166432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.161{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DEC2-6152-9428-00000000FD01}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.161{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.161{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.161{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.161{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.161{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DEC2-6152-9428-00000000FD01}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.161{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DEC2-6152-9428-00000000FD01}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.156{5EBD8912-DEC2-6152-9428-00000000FD01}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001292438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:10.312{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5722MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:06.225{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-20288-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:10.058{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46E10F9540E31E98BF8C9C681F1EF41D,SHA256=5DFF73CC51A01A510E050B3F1DF24CEC8C748C96F1C4AC30CC5F217ABCD34EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:11.738{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4542A22FC8AB070D5E637C1B264EA85C,SHA256=9E657D7CCC544EB9C18BB5B52860DCA4C9544EE6D4060D5D84C13CB4B794E88D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.681{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E53D9654558E6C0570C9F421A0146F,SHA256=8AF1DF936ABF845F5D356F4CD1A71FB2D8B1CB19FE4D8EBA42FED1F5D14208F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:10.829{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-12536-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001292458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.665{69CF5F33-DEC3-6152-87A1-00000000FD01}592700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.431{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DEC3-6152-87A1-00000000FD01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.431{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DEC3-6152-87A1-00000000FD01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.431{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.431{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.431{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.431{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.431{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.431{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.431{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.431{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.431{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.431{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DEC3-6152-87A1-00000000FD01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.416{69CF5F33-DEC3-6152-87A1-00000000FD01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001292444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.325{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5723MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:08.446{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-32900-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:07.455{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61734-false10.0.1.12-8000- 354300x80000000000000001292441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:07.321{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-26437-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.168{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFEBCD1EB7F85A388D0D539478007C06,SHA256=8E9260629FC1AB39BE2EBEB0E55FB70E012FAC8F8D12FD002CD7539EC1938235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:12.759{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB7878B5C5AEDB844402A4C5FF73790,SHA256=76D16CB8EAD7B576E9E04D54BF26EBF5A03074142C71091B9015284AB78A72D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.778{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DEC4-6152-89A1-00000000FD01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.778{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.778{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.778{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.778{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.778{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.778{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.778{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.778{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.778{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.778{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DEC4-6152-89A1-00000000FD01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.778{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DEC4-6152-89A1-00000000FD01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.763{69CF5F33-DEC4-6152-89A1-00000000FD01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001292475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.684{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB7F5F4BDCB8C7E640A0F15A1B84C69F,SHA256=6884AC4958ED74E0A541B0A31A49323C87A832988F10DCD85DA220ABBE941C74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:11.949{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-20392-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001385677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:12.659{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DEC4-6152-9628-00000000FD01}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:12.659{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:12.659{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:12.659{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:12.659{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:12.659{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DEC4-6152-9628-00000000FD01}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:12.659{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DEC4-6152-9628-00000000FD01}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:12.653{5EBD8912-DEC4-6152-9628-00000000FD01}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:12.023{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39954C5F961D612357F4268A78380CB8,SHA256=FBB5DA4B7E7120FF4D5905AC49E6D95547433DB7A065459DBC1C08A17E8EE72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51E8A808E2F6E3506DF9EAFC84ADBC7D,SHA256=139E01C2BA8391FA9E3DBB80905126A1D38C53DAE2E2EE6DD23E4FECC12D6236,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.293{69CF5F33-DEC4-6152-88A1-00000000FD01}33523348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.121{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DEC4-6152-88A1-00000000FD01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.121{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.121{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.121{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.121{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.121{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.121{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.121{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.121{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.121{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.121{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DEC4-6152-88A1-00000000FD01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.121{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DEC4-6152-88A1-00000000FD01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.107{69CF5F33-DEC4-6152-88A1-00000000FD01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:13.805{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A66C7E7D870B43FC6051245BAD76758,SHA256=16F2AA36B278DAD147548C982525EE1A6B7E627BF2B9782BA0DD98A84CF7AC3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:13.965{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7AC6824FFE293526834157CA5A16093,SHA256=E42E1C2265F747C6F39D8D7892195E0D5E3A0D925D750977FA85DDBA9F4B5F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:13.407{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1405MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:13.305{5EBD8912-DEC5-6152-9728-00000000FD01}32246564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:13.158{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DEC5-6152-9728-00000000FD01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:13.158{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:13.158{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:13.158{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:13.158{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:13.158{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DEC5-6152-9728-00000000FD01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:13.158{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DEC5-6152-9728-00000000FD01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:13.154{5EBD8912-DEC5-6152-9728-00000000FD01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:13.155{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2534885E060E8649BC49B1931BA8EC2F,SHA256=93A0B845CE345F85A25AB40945720EF22377930DEC7F99DFB46F10FD7D0F65D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:13.687{69CF5F33-DEC5-6152-8AA1-00000000FD01}3436796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001292503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:09.581{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-39173-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001292502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:13.482{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DEC5-6152-8AA1-00000000FD01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:13.465{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DEC5-6152-8AA1-00000000FD01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:13.465{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:13.465{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:13.465{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:13.465{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:13.465{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:13.465{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:13.465{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:13.465{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:13.465{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:13.465{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DEC5-6152-8AA1-00000000FD01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:13.451{69CF5F33-DEC5-6152-8AA1-00000000FD01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001292489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:13.449{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=950AEBA4216C57FC7AE9904AF81955E6,SHA256=BF7223E4CF51EACDD778EE140C40B42B9361D9B34B2DE692BFF5330C0E510AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:14.989{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6295FAE70663E42143EEB0538BBF50B7,SHA256=08E8884261486F798CF30729FEB9EE69B40547C54979F1C3F358B3FD0E99AAA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:14.989{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D257051A1EF5CE7C79396A76DE86FC79,SHA256=4514A0BDF37840377E71E01A3C6C4E93C7F8AEE2A8D9152D779F1A449291C966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:14.940{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4446FCB124593B1E782443A9ADF34FFA,SHA256=596A91A7B594E53E2DF109D90586CED7E9ECD94C25B6182D0B9CEF79747C9B00,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:13.080{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-28141-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:14.422{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1406MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:14.174{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88FD6545047E828507A23C3A04432F34,SHA256=9BA6889CE6141011220150E35D414C6D5C2F4D75A43E0F43374C2156724F283F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.871{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DEC6-6152-8CA1-00000000FD01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.856{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DEC6-6152-8CA1-00000000FD01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.856{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DEC6-6152-8CA1-00000000FD01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.841{69CF5F33-DEC6-6152-8CA1-00000000FD01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001292520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:10.711{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-45751-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.496{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3182611B18EB6F69ED6EF703FE534125,SHA256=186E6E778AF444BA5EA105995718AF59214865CE45A878B55FDB6B729EF72C5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.168{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DEC6-6152-8BA1-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.168{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.168{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.168{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.168{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.168{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.168{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.168{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.168{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.168{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.168{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DEC6-6152-8BA1-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.168{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DEC6-6152-8BA1-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.153{69CF5F33-DEC6-6152-8BA1-00000000FD01}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:15.955{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0045CF16597221E6359C8E2A1DF3820,SHA256=9C7285B52106C5C1F8A7403F2F0009939BA7649D03CC52E96BD31BAEFBDFF180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:15.762{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4772C418B93C012582818D4E7E8D6B3,SHA256=39A60D90AF1C9EE7C1FFDC40C00C40C40608EFD705CD782E65FE79DA5F4FDF55,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:11.833{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-51874-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:15.340{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEC26AEE753441AE7ACF0E1DC7BCFC1,SHA256=7DDF97E8A3062FD61EF78641D86EC960D5349998943E9806F21D2199E90F889F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:15.074{69CF5F33-DEC6-6152-8CA1-00000000FD01}40041228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001385700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:15.296{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-43425-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:14.187{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-35597-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:15.373{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F82BB03C2818885709F75DF8ED9520B,SHA256=B169A1772762CC800F23795E2717B0A8EB0FAA6273404D5ABDF77A7AE50757F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:16.887{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C24D663067B7A9588921EED0279EC000,SHA256=5C1306EEC37FFEA949FF80E8D80527F91E0DE8DFF966CE5FAE9057DB31134400,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:12.932{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-58219-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:16.153{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB4B8B4FF9B7BCACC4FB17F48B5A6E4,SHA256=D3DA95C78B688F46A3F00CADC9316500ECB0C09291E75A78970B3470D1C94AE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:16.889{5EBD8912-DEC8-6152-9828-00000000FD01}34806768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:16.673{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DEC8-6152-9828-00000000FD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:16.673{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:16.673{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:16.673{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:16.673{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:16.673{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DEC8-6152-9828-00000000FD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:16.673{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DEC8-6152-9828-00000000FD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:16.674{5EBD8912-DEC8-6152-9828-00000000FD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001385704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:16.394{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-51174-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:16.048{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59029-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:16.456{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37D7FC07D9DB153DFFB9B41F3B2D3E0F,SHA256=D54F97A6BC02592F4B7BE0194DF0DADA6200BA2076E73176C29DF57CBB564B5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:17.949{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=683FEAF50EC4CA466BE3A04BCD2F6761,SHA256=EF8C1C1F035BD0B7896F629187F11B3A950C57583850EFC5B76BDE8FB21793B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:17.168{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7EED1074171D1F4BFD931201429653,SHA256=E70F5E1A60E47B917FE8B8428A43281D05C9D729FF2801CB876654A0D058A7C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:17.694{5EBD8912-8CBF-6151-0D00-00000000FD01}9007116C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001385724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:17.625{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B5E3C38345019014FC19D7AE0D8C224,SHA256=B990C09E4D8C61092051C8E5ED9B0E040A958C83ED164E44752D0C45A3881D92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:17.572{5EBD8912-DEC9-6152-9928-00000000FD01}54685152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:17.273{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DEC9-6152-9928-00000000FD01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:17.273{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:17.273{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:17.273{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:17.273{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:17.273{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DEC9-6152-9928-00000000FD01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:17.273{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DEC9-6152-9928-00000000FD01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:17.275{5EBD8912-DEC9-6152-9928-00000000FD01}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:17.004{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8156F6BB47CA2EE1216B1A224EB38EDC,SHA256=B8E3362C9207107AFF876FF3515899EC50C1A4786612932217547115D76FD874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:18.182{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D370585DA47A302FF63CD243C0F35CA4,SHA256=244557D0F68647ED48AFB268EAEA15144C9EE8F877573C0852C93B93D642BA8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:18.709{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22AF922C08632C59F4B1589FB8C4C3C0,SHA256=18B5F82D031F33E6654A79B8C0977E9C9D41CBFA7928E8576F2C7B77BD2EDA47,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:17.506{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-58792-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:18.009{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B8568BF2B5B33BFB5E933892BB7A7A,SHA256=AE6FC3B24AF49E551277346DEC32748AF724A10E07029C47D09A8AF670D06EC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:14.150{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-6199-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:13.427{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61735-false10.0.1.12-8000- 23542300x80000000000000001385732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:19.793{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0BE9B158409F3CFD13AE3F89A5608A8,SHA256=4D786CA3A1F56C17F38D8783AF02F95855B0E7E63BD9449C8AA2F5987C0D9F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:19.724{5EBD8912-8CC0-6151-1200-00000000FD01}484NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\System32\LogFiles\Sum\{3D3F8AE2-9BA8-4370-A03E-DC5997B4F9C4}.mdbMD5=8C7F529C7B9D2D7A0C115D0A1841A0F5,SHA256=03ABA950FFF7AEC89C2290E244C8DE0FF135B1EB41117D9D1731105571C63261,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:18.646{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-7777-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:19.009{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5AB72B0678A0CEC081A8774CF5D349,SHA256=09ADB6D7A7D184411D87362AD8DAF72C96D56B0C1C1D79D08E9A6F73BD0F5B88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:19.182{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061F3F3272333B3F49DC6B5122BA0EE4,SHA256=3F35D7237A6216E612A779BB90498B827CFF67869066C8259752DC9531160EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:19.089{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE12AB5239EC2E15E648F6E4144E482F,SHA256=21D79211BFA72FDDB1B1D49DBE7D2B0F589A07BC2F17CC593EF8A6A079CA18E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:15.258{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-12574-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:16.351{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-18933-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:20.182{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A659EE41267418A893BC2EE6AB02061,SHA256=BD7A528E3251B82F004541F62BBAC88BC28945E120436BFEFEC56C282F81AE24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:20.892{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE7161479914A943E363240C8E63DD10,SHA256=8D31BA3214DFE0DAC92CC925720AC80E059EE3AB8A4A137CE683A7BE3EE6C80D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:20.324{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:20.324{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:20.324{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:20.055{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DECC-6152-9A28-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:20.055{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:20.055{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:20.055{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:20.055{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:20.055{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DECC-6152-9A28-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:20.055{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DECC-6152-9A28-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:20.056{5EBD8912-DECC-6152-9A28-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:20.024{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A646912355E0FEA526F885FCA681139,SHA256=45D903C592D8C61FABC7FE0A172C435688AA31A021732FF390E1B6CC27A5E36D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:20.151{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C55B20B5F190A3FC0775A201463597F,SHA256=87B980597A7827935C5BC3723BD41E1C3EBDD69A6C21906D277AE3C2A47E5BF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:18.456{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61736-false10.0.1.12-8000- 354300x80000000000000001292554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:17.460{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-25244-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:21.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F662E1430FCE78F495770149DCFD691,SHA256=5D40FBAEAE0C37BE5297F2D2C414218C48A379DB1B5C34FEB216B096617BC93F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:21.198{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5E3C29BEAA0974E936D63D72B5A8263,SHA256=05A6C172BDBA90E40923B16FE1A5861EB430730AC6BC7888C4D4300860AD92F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:19.729{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-15260-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:21.039{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5992526BE8298236FDAC1C291495AF7,SHA256=4EBEBC7B199FDF3DEC2FE26B56DE34DA6F1CE24BA97CD453892E887992A55EAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:22.495{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DECE-6152-8DA1-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:22.495{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:22.495{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:22.495{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:22.495{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:22.495{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:22.495{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:22.495{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:22.495{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:22.495{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:22.495{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DECE-6152-8DA1-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:22.495{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DECE-6152-8DA1-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:22.480{69CF5F33-DECE-6152-8DA1-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001292558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:18.538{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-31369-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:22.386{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E11C0AFAAF0BB43A1B3707F18F9B05EE,SHA256=FCA488B8CDC7424E069A5D3CB193248C2D1EEF1D1AB0C2F584059F6FF357B713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:22.214{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6093729C3A1EE333C25069A58183EED6,SHA256=DE34EDA188968EFF2B7459E61829E7E318A27AF5CC5F42D2388D2805AAD35F79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:21.068{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59030-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001385750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:20.811{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-22720-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:22.053{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993EA0FFEAAFA912B8C2AC1F0F3EFAF0,SHA256=4A0B0C2584492476FC0C80D987E9963D732521FDFB7649119A80E50F5AA2BA2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:22.022{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=103754C1A2B2AC814E00569C9E1AF3B5,SHA256=5B77E37ED8DA3B652ADEB1CAF5F62A87F8614FB11E5D3A11E9D14C2902DE2757,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:23.040{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-38505-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:21.921{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-30597-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:23.106{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73FB3083AB461BB5FDB49F212F24EB55,SHA256=C85D48393C1EE80FFE5BBA464C7E134D4A8DB762096B466593AEDB56B1BB16D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:23.071{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5773314288DDD6506256285B17FB8138,SHA256=150A4C777D03E01F61C18A613EF0CCDF618A2958DA7807D995BE30980A45112C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:23.526{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EE9087989FE9959FE420DC41BE01EB3,SHA256=58D52B6F897609AACE3DDB561CF73562CBC5508EEE94B97E95768439489A2255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:23.229{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B163E4215F50B29D37A32B8C2A0521,SHA256=CA9A85DD85CCE11AB61A53EBF2ED82AAD57E9D205D74976BED5E36C4EC774AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:24.620{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DCE7671F81BEDA77FEADFC2495A7B9C,SHA256=76A19BA0258E577B8F72379FB016854245A097E2704AB243C1B912B7E8581412,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:20.787{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-44400-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:19.696{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-38006-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:24.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CBE293C5E953152C8CF4B46C3890D4,SHA256=435E7F251B622D19E8E25E5DEF1DA0EA912954183D79B1709F6373796A366783,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:24.141{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-46287-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:24.305{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5929C6CAC990E73790A3631447B217BF,SHA256=8FA32E14084610E57F16556200CB5275A8604AF31942C3BD2FF84178F23B261A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:24.089{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF855372FD845D030C769D1390EEF5BE,SHA256=1A290449C38D352FCC4A01569010699DD0B4AFF75AB0417DDF5D33D578A1A72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:25.760{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD1341794D3A84569F422C3673909F7C,SHA256=D5E2CC0637D9261D237255AE4CCE41C80EFE301F6A06763AB73CB395FF4B3987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:25.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334304EEEBE33E052B85D483DF6146D1,SHA256=391B1518749C923B65659A114F9DACBC8F1D7680E4EE9E4DA911510F07F2E3D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:25.322{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-54632-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:25.388{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=050E6306FA6FC887B2F5C10F834606AE,SHA256=BDEB0A93BF787D4976A7F294EA26622349555321A53A61BF68D2FBCAFDA1065F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:25.173{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75F2AB13B044F32F6047E201BAB75B5,SHA256=9B7EACEE981B363754A9309AEFCD08A1A099A9162EA7478C8AEAA8204DE5B63F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:26.216{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59031-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:26.534{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90B2B00208B4B7DCF03B8B6040802CCB,SHA256=DAFED0A41E02A2809B52843B445CEA052C5E54A4E62636657508EAD6CBA1C269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:26.287{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBBABB3E36B4BBE6F2D94A3110DA4D84,SHA256=265F44DA83312499CA3037BBA9CB716C832F850CFE3DBE480FE71B35EA804E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:26.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB5662BBA0CBD61E31E228FA0695B225,SHA256=D06DEEC0E9AF15DEED317A3E4A9FE26E39E2D6A242E36560A511A5CD805FD7E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:21.909{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-50966-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:26.479{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7AFE3BD4CD84A8291582B1294E74A5D,SHA256=779D07912E12386DCA3BBEC2EF7443A894E9AB12D4B52A6E913A496B2BC44586,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:24.487{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61737-false10.0.1.12-8000- 354300x80000000000000001292585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:24.132{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-4734-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:23.034{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-57245-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:27.479{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390FAAA36C4ACDFF0D8E46C205911510,SHA256=7915601ECF2B246BD23048C462B45775167221626723D4E43E40C4257859DFC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:27.686{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BDF1A97111360D2909B3749E774FDCA,SHA256=3691229AE393E1CF70F2FAF06AC30C7719BDB0847324D18F92E599307AA7FBB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:27.302{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D40D28086DF6C9E0A4CB7B72CE33B8,SHA256=CD26900CF0D186C7F82F461130AE0863A6E08C795BB58EAF419EC9BA7A71FB46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:25.242{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-11122-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:28.495{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C490A3D174A67D375AEE9DFDD6C77F99,SHA256=89540871F756673912241B911FA1F2C6B80A499A6D8C3EBB037E3F7BBED4A2BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:28.766{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B60033759A40E7CCA9346AB80A5A2389,SHA256=827B7B6731C49BC33F54A4EF2AF3E95589433B80EFCB16BDB33C3DC505A5DAAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:28.317{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9605DE6485424FBFFDC1FD3211664A25,SHA256=87776EA9F060B02207B06E5B7DFD44DEE42CD3C6054299374700CF7D86164527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:28.010{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7224E441C35772097D12FFE9C027BB76,SHA256=3F342243B795DD6A0A09626471E124E781A7978341AE61E9FDC5B0ECB4E7847C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:27.554{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-11181-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:26.406{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-3042-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001292592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:26.382{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-17707-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:29.510{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C495230F864A6A5ACE4F8F3AF571B4,SHA256=5B5BC40E9A1153E9A3109C06A73E852C3443EC5121DFFF1E03369C293ABEA745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:29.931{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CEE20DD59E90FAEC378D96F3EE8E13A,SHA256=A6C8C0D04C32A54DDBF2F8E7D1E5F44FBA553BD93F15309A80E6EE9AA1CD9D13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:29.348{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EBE202396C1AA02A54789F4CAE40615,SHA256=C976C90DAEAD08A69DAEA6352E92A661D70D90340E6D80B11144C265CCD81E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:29.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EFA7CD1EA744C913443487810DA8B63,SHA256=B229045C7C42CB789BB117FAC1945FDB14F7E8CD3A9C4169D9C20D94AC869385,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:27.507{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-23917-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:30.682{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B10D1E5C9026F8D9D870D3B6AA7D0D12,SHA256=7540B08C0E13962B9CCD9024ECA54D4EF0FEA8C142C4DFBF3BCBD987F5D88551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:30.365{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74274DC62C3F75E24621AC6CECB39C6E,SHA256=21832BB04D05E38987EBE3260C64890B06807218FD3265A2767D088E009783F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:30.229{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA5216A0BDA7F5F5458BAA402B2EDB35,SHA256=B7C23A11FE609853F8D2C62361493447A280EC1A14A7C86455A228D05CAFE0E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:28.707{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-19264-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001292597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:31.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA200B4523B3E91C87AF0054DC0AB96A,SHA256=E527E61A022A37FDC1DCF928D64291DB03A7E16B844A095241DA796B75162F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:31.384{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E3AD262456330CB04A50D57036A7C1,SHA256=F9D4D829D3F41425956F00E6C8034A6F96DEDE10623AC29CE87DEB865BA9AFAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:31.323{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02DE192057BFFB0398880FD4E9B72B41,SHA256=3EFCF9D359F0BE46EC8FC3DC6768886BA6FFEA9C13F756B1042646A58D874A3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:29.832{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-27047-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:31.065{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4E05BF41B9A38BB54F69584CD16FFA0,SHA256=71AF95AFB72CEEF0E74153F44C5423CF14C300743B15BFC62F783621E0D439D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:32.429{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798621451A2B5A7874BAA105C31FD885,SHA256=562CCE55EF3F77222782895A51D763AAC6CB32AD9C59936A8CE733216222BBEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:32.526{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCCB06AEF42D7388C614AA1904D319E1,SHA256=178127CE6CAD266C7CC71D45071C62A67C976EBB599C8DFFFEFCA0EC894FAE11,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:28.617{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-30465-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:32.198{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71F9C7AC247439BCE71E18BE8741C4A2,SHA256=4D412DCD921007A65F2A20BD92D8D181E9DFF5751CA40AE550848E969206CDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:33.463{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A980EE57F14A4A6BA4FD102CE2BB0AEE,SHA256=100D0006F990DBD07FBE01F47979E4E74F392550548544FEEAF453977C367242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:33.444{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=401A1A54480CE4148C4B918DC9E26F61,SHA256=875952C724DDCDE61B24C7203BAFC7C07157A6015362B16155965F97FEA38498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:33.620{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D5C010A89136D9DE167C88B6883518E,SHA256=D195F3233847B3E8759449542308027976F4D4309807F2E14C7D6CA317341D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:33.026{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E52B6FCFF2889F806118818A1D24C6,SHA256=49F5F8769A42212B76464858D27E0EC6EA31356B8350FAC7A663048697133156,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:32.196{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59032-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001385781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:32.106{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-42867-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:30.965{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-35242-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:34.596{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B0499CC662F9DFF2B78D3255B430BFA,SHA256=C1120CBE7FD0CCA608D90364A09CB453EBDF4AD13A37E921225A4ACC0765C32A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:34.496{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E01A5C6D72A008C0E7324EA102AB5933,SHA256=C29B517C556C457A0D27C3D50FAFA36D7673794126E744E14404FADF36210333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:34.745{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE05A503C5C89ECB51FB5660F32C64D6,SHA256=BAA1FD8DC6A1AD3C295C84ACD4EE72D3A23F0D6E1855EB5644422D506B4AEA80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:34.229{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBEB5A3A741AE4D99DEAF660B093E404,SHA256=F54509CCB3F4CE45C2291D11454F35082DF06733940F9BCF2159A487619CAB3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:33.271{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-50747-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001292604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:30.898{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-43367-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:30.393{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61738-false10.0.1.12-8000- 354300x80000000000000001292602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:29.710{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-36629-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:35.779{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=186B37B9BC5094C17FFED97573A3CD56,SHA256=B4C08DA2FA6927F6D4C8D3FD3C2D6FDEC8BDDCF35B92E3766DC6FA8D97015082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:35.526{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F0BFADEB972352609B7BA8F2B76E43,SHA256=4444698EA776C312618ACA311AD83E42371104D6864FF4442BC4D6893B659908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:35.823{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5346B70CF5295AC88B72CF2B8BE8748E,SHA256=FE011AFB472F859D5D68533660480AD0C58C4B6DA60BF1809A01184D995C9165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:35.229{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7942C18DC685CFBCDB5784B60A22C3,SHA256=16CECCE8C0014E73D442935C9EF235747FC4BB143ECB8D44258A1C22D9494569,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:34.492{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-59481-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001292607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:32.006{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-49619-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:36.909{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FD2D69F791BD0D8D0EF3601D13F64BA,SHA256=6CAB3E27DD68B77B13AD8D3A2F64D5F47E1CA0BC5CAE247CA68E46F3DC6FA2E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:36.558{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBCD1C9129AA727469EB8B5318907D28,SHA256=2808F748B660A3521E22195070992D8907A4C55E0BDB861BB07E3F7D120BCB5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:36.948{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CB945A98B78CB96A9C761E54D47BEE3,SHA256=2DB0396C76495AD8208E3A5F3DBA66AC72B5830DA8CB6E2F57D69E3FB6681C43,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:33.116{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-56001-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:36.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77010A34714FAE39E36A5B3C1341526A,SHA256=17DF4607D43CD58DCFB7C4F04A6C4B14C3879EAF31DD944D449EB995D5724094,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:35.652{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-8520-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:37.993{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0F533C83C7620E4E8D3FE100FE35C2A,SHA256=AD52F592CFC96E035579891CEA528A2197E5EA99BD7E619850D7C9429153EB73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:37.609{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD17E0B0A6B57A4CCF60902853089A5,SHA256=2E9048361BDA06E6464CDE584D2C4438F014B6E2EB56C3141F69172422028C14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:37.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBBF382BBB5F8FBCB79EB376FB3BD63B,SHA256=C7BE25016DDFD859563211A5AA2A74D233C659A228360F5D79B6597DDA9C539D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:36.811{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-16941-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:38.624{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540A1E7BE59C98B3F901C8975E7A26D5,SHA256=B1F0A838A12993409B96BB43BA194CA89C37CD6FE656F7576A93196809CA7165,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:35.550{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61739-false10.0.1.12-8000- 354300x80000000000000001292617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:35.319{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-9826-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:34.210{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-3334-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:38.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BA5ACF31DD51435FD570B38AADD5A24,SHA256=5CA464D8697D19C132829753A3B38E6E59202C4A1CDD2F688ACF906208934702,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:37.206{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59033-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001292614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:38.028{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=503458E1A904DB678B2EE80331105CA8,SHA256=8C050DD41C13372EE61C7D15BA223BB5E61816C28D64D54906E175BCF862638F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:36.400{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-16143-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:39.278{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9527BD554FC8F2475C58A50582B43766,SHA256=FDDA22729C2B2E366E9DA7177252F2F4FA257D7DB3FA6AF7303B8A9354CFB449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:39.638{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C916310FE7F3B9559F8E84B40D23F743,SHA256=67F72F7F517A402B54ED83395261F73A540D6B1BCE4C555D23C45E1EA129B6B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:39.026{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-32210-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:37.929{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-24888-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:39.239{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF07762A1DAF74E040A29F3CAD24407B,SHA256=9E6BADAD34EF9BB0005B4C6DD48F3392831E7306552A6B031C0820A93F027924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:39.106{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=403FE6C36189B514E791125D610AC121,SHA256=323080278137497FFF34262B04A30408B861E9E126F088F73EB3F4457EDDD5BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:40.656{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F591D9532AD73D1BE234298A6DEA5F8E,SHA256=91DE6C58CB04B31B897DE590A7ED048DAEEF691714673D161B26A80CABB21630,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:37.483{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-21917-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:40.294{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386E7D45AE1717425A711FE5DCB7B687,SHA256=8FD1A75C0C9F348C0EE1B471C0296E9B18807F7C86FC57615DF56641A27B91A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:40.216{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=712F40183B63AC7BFE583A251A0FBB2F,SHA256=8572FB54F2B4CBA56BBA3401BF826399EE27BEB3BD02022729A728A8A43631F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:40.322{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3045BFD55F05118A88BDCD98A5BE8409,SHA256=2882BFA5884929EADBDF000FB83B304055FF29324E52C994DB0E49127F513B1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:41.689{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF6A68F3254D9A3035B44D2E845F966B,SHA256=6319BB607AFD0AC8345B8BCE84EE1D25B0B07F65732C1DDE98CFF955B6A6006A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:41.294{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCEBBE57E747ED3AB101732D7D153D9,SHA256=67594EA955F30A45501149675525CED1DD7E9B6E2AFE596E068BDE45A23EB338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:41.294{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=543532CD3785A9B85AD9FD26EC4DD5B3,SHA256=6891D57C81E2723C62688E903F056144846B1980CEC86BE3312DF8C3BDB9114D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:41.405{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33C602ED32AC2E121ACF67530C641E9B,SHA256=59D99029A4B375BE9DBCA0E2EF51206BAECB7CAD2F21C7921D23CEC87683A61D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:42.720{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5203D7463CB1310CA37EAFCFF81FECE7,SHA256=6B41999F81974377AFC602F8C1D3B58DC3E8556C316A0E9A3D40522C2CA4A0A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:39.681{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-34682-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:38.588{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-28436-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:42.513{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=882C7D75B57B81B787548C8A2A3B4DC2,SHA256=ED4F2772B453C3EAE43443146BF30DF43DE01F2F7DE3605AECC027873F7B69CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:42.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71C01D5587D6F21A320E1CEFCA72A10,SHA256=24B91F6E2B6DB063D9D9CFBDE723E8071C946A344C1302CC67B9C8F41F49587A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:42.488{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B02EC158ED2F7E25B86BE29C71AAAACB,SHA256=67D7812A6D6C880C0CC82DDC087866EB5E7F11A56217EE715601781FD9E7F14D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:41.340{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-48419-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:40.256{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-40937-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001292632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:43.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD48CBA58DA616A9C653FAF04C3EF622,SHA256=69825ADF7E6A8D0C004AF3610F0548B2046ACD0C510124D0AEC50CEDE91956C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:43.481{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73BADD0B65452A49A7D4D515D8A51A7C,SHA256=657F5BE4DB323D3E368330FAEE50435F4A244B641EF5349B3F4C6E1E2C53C418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:43.735{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B0DA774F62638D2F22EB95B99568D0,SHA256=0440C3780D1CCD9D405FC7D682817FBD162F0CCB6662973AAF2714E492D1E073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:43.572{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=679871E362C6F4F356DC19B92DDDDFA9,SHA256=A71142B9278378C803463844FB5C51085CBF5214AF0D58C8B1AB9316D6A9A895,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:43.101{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59034-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001385812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:43.101{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59034-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001385811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:42.424{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-56376-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001292637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:44.700{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=599AA73E5FB14BDB73CCEA571C664E26,SHA256=C364ED5E48A7B9E857CB05E615B0DF5FCC4C9551E1AC9DB24F6CD0A1D939D0F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:41.458{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61740-false10.0.1.12-8000- 354300x80000000000000001292635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:40.899{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-41725-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:44.497{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3525454F23259C831CBDDB9776F843A,SHA256=8B242468A398A2AAB737D8E039ACA9297339202BC106ED8AEC269B4C076A240E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:44.752{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=002D1F8334BECA1C8BCDC7DD53E27437,SHA256=DABC6772875D3706D76CB7BA7663773FD28CC5C347C9D03103941BB268A07F54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:44.356{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DAB732633C0C73A692C92A945B8CD6B1,SHA256=6795FFD6D51485BAA3F2F727AB6AADBF660EA76E234AA8DBD12113DD1801C5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:44.671{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B0B34215D6C4B57250512ADBDF418F7,SHA256=5E7648711F32C7ED0B46D23C4453FE9CAFBF89D7146B2D1DCAACEA5D64379136,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:43.511{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-4753-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:43.201{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59035-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:45.786{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A253AFDDFE477F2DF52850F597040C,SHA256=C5FB7B241F6475CA98E01BCAB5D4589011CE316101B57614BD7D52305F214E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:45.841{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5D825090381600E0BA21BEA4D32A375,SHA256=ADA85B18E37D151CBDE951664751BFFBA7CC11192A09069CE1731C32EB2DDB8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:42.009{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-48367-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:45.513{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216D15D65E09076421A45ADCD2995E77,SHA256=02DE5169BB31DCF5AF6591E35644688232C411082C2A94737CA85BBBE5F1DE9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:45.751{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92CA5B8D5453DC861AEFCA143B9967CA,SHA256=13FD4D4B1C266CBA38CCD280F69D6D8332AEF374FB61044C0E98CD87B92E995E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:44.590{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-12287-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:46.816{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53D106248F6CB07957128DF6ABB944B,SHA256=97E8767F8A251CC54049306391C98744EB3DC4999CD843CA36301D49388E7C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:46.981{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C3DD61E7DD83F7D462E3712EE154875,SHA256=2BC9831A408984CC635369FC6F98020FBD6B2682AC914A3894265D978DF420AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:43.102{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-54652-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:46.528{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FBF7A6E81A99966174FBFC69E76B295,SHA256=90CB09C1D6390232EF8E107B25AC912E261C83D875002449F64B61E81110797E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:47.850{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AC9BD20BD7B0CB67499EC4560CD493,SHA256=6CEB5F99BFFB7DA1CE71F465DE18512D914A129590D9A792CA0BFA8E374EC6C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:44.234{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-2073-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:47.528{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD76B23399A2628A3B010371DBACBC02,SHA256=239FDA0762D93B24401A5623CCF5F51014923D8955E75B06943149CC21992760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:47.784{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:46.803{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-27832-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:45.689{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-20059-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:47.085{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67E11330D3C5C904DE9A9538B3763E57,SHA256=D5E0E3528644E54DD9DB3EF2EBBF94D36240777C45A1BD9F041948BF14572EA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:47.263{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:48.883{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBA802D47BC92235C031D040207C3DB,SHA256=C3D94784111A98C9EFB65BB7D4A0EAF0DFEBA605D65AB3F03B7A5312DD69A3C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:45.354{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-8874-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:48.544{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C402F5C3362158C153649D8EDC2841,SHA256=8A1263342D0722FA8D2BE93BC764905A5F6D01FB29A188D975B7A8B74546B73E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:48.101{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-36890-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:48.168{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6A81E59DC2690855386BD85C6485AB2,SHA256=F9556142B52BB50523E859B2B7D421918B52E1E2380F740C4F8685F5933D9C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:48.044{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A67F6F3A03FAB4BE228850A67CB394F,SHA256=F57A57C19F5707E996EC2DDF6B081CCA86D890E66E2FB5AFF14572E0406469AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:49.884{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB4372F7C08DBDF14BB463285127936,SHA256=027EBFBD47FA7CD4E38B50B87FAFD608B235079BF5AE771396FFB5663B51F516,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:46.583{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61742-false10.0.1.12-8000- 354300x80000000000000001292653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:46.432{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-15141-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:45.599{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61741-false10.0.1.12-8089- 23542300x80000000000000001292651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:49.559{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905081E80B8092D5192155CB1AD86713,SHA256=F8050FA061F107C8810194293F5D1088F6296463AC3ACA69FE52E58F91B6699F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:49.143{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59037-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001385833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:48.765{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59036-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001385832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:49.230{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35D5773BF8E51605D782AA1EDEF538F8,SHA256=D439102F5F8949C8A283BCEF05EA17B0B7715E440C26A5379D78B065470555C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:49.137{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B0677A11DA680B33214022F03B0AED6,SHA256=778CA49EBE36FEC5EDC8A36CADD9EAF494B4E73CDCC02761896E63D19817E2DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:50.914{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFCC2C665315AA761F44D87B21FE3302,SHA256=DFF099BB8FA520FDAA1DE851CF005D85E5B1F0CEE0D452A23C815F7FA69F8DAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:47.510{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-20908-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:50.559{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23BA1E6D40F85054F172894382C7EC44,SHA256=8CDC2A3693F4472301357CA1CC7FD5174A3AC91DDFEFD77EC336DD98F4E34704,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:49.186{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-44157-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:50.315{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17A081378BCF9B5725CF7E317AC59E19,SHA256=6E2A761715AAD75BA8993466C07D94C2E64531E91CF8955368225116E06F70BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:50.247{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04841F5381C5C089F2DCA7A192AE7384,SHA256=E4EEBACF4F354565CBB518660B1A1AA6AD48B4859CEF1EA06C5D97AD7EBAE2FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:51.947{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFE82F610FB832271B6A11C4AE1D3F6,SHA256=65012198487076E11D82F71BD7C84F664C69DD60647D19EB62342607F0A3BCB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:48.619{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-27500-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:51.560{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1104DDD8E1999E39A08B018A5A1A06D5,SHA256=4ABC098C73924BD2498F5A1B6F50C3F8C08AC1D3843A84D754B76CBAA5657A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:51.613{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08D7407D69499480C09129FC9E58CF79,SHA256=306D7597891267D762410D826C2060ECE178F26FF8ADE2D7F46D4C0A3E0A1D7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:51.372{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-58906-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:50.264{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-51374-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001292658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:51.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3409C9F1AC8CF57459CB5F4AE4191677,SHA256=AA51AF78CE7AF17E420F41D9D0CC7D45F129E390F8E81E1F3430868E690FE601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:52.968{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A79DF1C60A96FFD9FBC543F5843343,SHA256=6F431E4278BEE7FCF5E37010C6215075351559EE1B56DA6A4DFBB4AB9B4B4C1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:49.696{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-33753-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:49.519{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4967-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:49.494{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-4836-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:52.575{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=572474588D80878FBBB764C13D7D132A,SHA256=F419DB1FACAAFE5213264E9D2C370B74CAB37097021084F8FF30EAC2C80E7AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:52.697{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5B9432E2C9602795B741478C9C9F104,SHA256=19DE13C43374A30EA3C9A36E84DCA0C6C6405844C43C60BAA5FAA635D2550686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:52.403{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE125B34F1CB656D65B26E5F61E67BAB,SHA256=55B0BE168060A2FBAEDC33FD9C85EA9744D537B5FFFC2164879DB998DC2AE6C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:53.968{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC9F8FF6F012AF665197C09F7307755,SHA256=A3A23C75B131822507B066FA13ED8B55615A8E903FC038C7792FB9F3E6354747,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:50.786{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-39838-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:50.616{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-11241-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:53.591{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515BD59321FF9F5A579137CECEB73A80,SHA256=C93B9441C41C5F79CB399914E57EEF4E8D767832977CD0C03E900C6C1BF400A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:53.915{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAC9A72889168971D13D8C348CA0ACB8,SHA256=742E646C9139470FA9233F39051C508A5170799CB85E2714EC63E067A8E62994,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:52.631{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-8553-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001292666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:53.512{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C68862D0BC3964FF77A695786B859F87,SHA256=000D7883FB60BDF44CBBDCFB4A72E98CA8C980243F2BDA4E4A78B075B720F527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:54.983{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D567FF767789BFD7ADA4F3F17A75C8,SHA256=3E1F8D2F89A9CAD6CA79770FCB7C7E38382F089CE279A8B2400579E2FE34ABC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:54.606{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C223AE9A097EC228314253415B9A6563,SHA256=640A5D25FCAF77B6F0C5FB44D3FB8C44D97A04EF22F6BEB25C47A545B50DC834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:54.591{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773FF65CEA74457CD223156C6D6242A4,SHA256=A8A1B757F95B6D5D15821C0AF6BE991AE466D01DA4C37887A7CF084CCD12A349,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:53.731{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-16322-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001292675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:55.778{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD1A22C03ABA1F177838CBBAC01BD2FE,SHA256=7A55386A302F9A24D1518A53AB0200B70C6F2654F27D1D1D03185648F75E61DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:55.606{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC6E80F5A5FE4C92168149220088D91,SHA256=486F434E7CBCCE4D79317F7638EB7AD28AD0B0F5C4C9AC518BE69087484A81ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:54.168{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59038-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:55.014{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F479A4148D450415AD14645FAC819067,SHA256=DD1E6EA3EAAAB099DC9CA332088E8FCA2A7E3A6200CBC5EA07F29DF7520F4374,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:51.891{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-45984-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:51.712{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-17555-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:56.856{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F99B3BE5AAFB5413D3F4486A2E1D90D,SHA256=5C4FA25824AA9C0128DD4294C0E7AAD6445F23564433123757EE78CA0847C3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:56.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBBB40CF79B1E09C45BEB4EBD144830,SHA256=CE85E49FB7F12AA3E1C2CC7C9F6E7AE7004280DE49B7B6413F8188178892B25F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:53.025{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-52347-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:52.791{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-23632-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:52.614{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61743-false10.0.1.12-8000- 354300x80000000000000001385855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:56.033{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-32291-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:54.949{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-24437-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:56.149{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D75DE6DAC73A24FADAE4E2A5D92E42BC,SHA256=D64C9E815E34184C62A3113384369E5E83FFDD68AC2780E399369FC5AFA80EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:56.030{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F874FE44539496931D86F6396A353C0,SHA256=8D92D4877B0B69FEFB06FA77BF059129847D965C8328DBC0CA28214EA34C7D20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:57.981{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4917114EABB8C3334009AEA7E09AA1CF,SHA256=37309D8A53805D23A8AA3D2EBA80C4A7C18AAD4179277E8B63F1277D07E1F04E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:57.637{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF62CBE81B76DA55E1139887C20AC83,SHA256=42B9EEB18547F75B7ED4CAC1A403EC1C2854E7861F16B7AB131B42B0C1712829,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:57.165{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-40387-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:57.229{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E275AA1221EAC0E34E2BB3C6BF393B45,SHA256=01B96B65E93D8A91F4139713FA938F7CE88E2426B28A2F690E668AFD73C6E278,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001385859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:22:57.082{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001385858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:22:57.082{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001385857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:22:57.082{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001385856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:57.048{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846DE7DE178A5174E1A212A7FF0A01B4,SHA256=815BB460EF004E99ED4363889E2ED140DEE6F4F5ECDF1A6BC028A6917ED073B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:54.150{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-58917-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:53.869{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-29726-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:58.641{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F9EFD99A67960BC6AF5EE46B826760,SHA256=4402121E793519B5023D0E0A3877E13C56083F6FB5EEB128989EA579810CFDF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:58.320{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-48263-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:58.100{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59041-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001385868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:58.100{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59041-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001385867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:58.094{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59040-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001385866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:58.094{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59040-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001385865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:58.080{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59039-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001385864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:58.080{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59039-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001385863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:58.412{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F46C4DF5904FDD89230043E38BAF6F12,SHA256=EBB403E7DABC265EEC225C13B945ECBD7B33E533F9CB0414AA674DDC91B26687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:58.081{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E576CFD7FA3DB398EDB66C0CE666BC,SHA256=786A208128CAAAA919077F8FBBD6F1C4273C81F57397C0A6A42C14AB2986D7C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:54.946{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-35965-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:59.657{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19EF7539FD8C363C26D8FF9E7B1DEFFA,SHA256=1B7A406BE71807EDEEDC4B9C9352E7C81169298D5ADFCC8FD6FE2A20D95906E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:59.511{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D8FCB9070971DA4D70D6AF1AB48D68A,SHA256=34457FC34D06EAD7413B4C485D912A0394A40A9E454ED971A8B724FD97286C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:59.095{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65EF7CCCC92FA63A1A39E8DCF3CC9A5E,SHA256=C656500159122E3EE8029DB21194C6D4D37E428333D6800FE83CFE2DDEA478D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:56.310{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-41544-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:55.327{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-6806-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:59.079{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=288C7CA707D982AA5309853251A283C5,SHA256=5E3E5E9221D2B81E253B5DEC4B6DF2F0A1B77C7CEDB46C7EE5CFFA3740D2DA21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:00.673{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9A7EB3AE3ED7EFEDAA861B40E4D7E0,SHA256=AD107C3DDDB053F64958ECA970851C97DFC77884732E713060D374283DD36137,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:00.143{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59042-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001385875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:22:59.447{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-56207-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:00.594{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD5C3FF357A66DF98FFFA353CE86C512,SHA256=2921F5DBC26CBCD05C7C2BFBFFC6E4489592306DB9CDF2EB9B41F9F49FFEC154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:00.111{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0E2C452C2C2E201D234727F33A9D88,SHA256=CC331F9994045ACB475EE4D8B008B5C5D7A4F36F6EBB2F25D8A4F3E6C136E0D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:56.417{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-12979-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:56.368{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-43632-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:56.335{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-41726-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:00.157{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D30CFD7058D7A6CAFC5C88916FA76403,SHA256=E5F9987DF9AF7B81B40EB8CBDF2CC03E58C0071FC60FACF7FCC291DBA0B94565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:01.674{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A62ECD1F0F0281368B771BD37B2712,SHA256=25BD10932E4BDC302192A48B094367C1F7D8454F505217583A25CE3691F4E977,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:01.616{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-12649-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001385879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:00.530{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-4974-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:01.727{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB3A68974211BFD511236B8AA416B153,SHA256=41F284F4EC2F966B2B317A494E5AAD41A8C3055646097FB2E76CCBF7C8318858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:01.145{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0600E075457DBC1AD9BA5BCFE4492AC,SHA256=0F094CB582376EE1633F06A43000627F42C60E29B468240ECBB540E424701573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:01.283{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39DD67F3A0A80CE3AE90ECF6F84FA284,SHA256=8DF9234D7963A05269E9F6C0CAB9D829C64E093092FFFB33DBE8D4DC58CC00AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:57.530{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-19943-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:57.514{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-49844-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:57.451{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-49948-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:02.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC97FEB8A8C6F6FF0F6400E72ECDD316,SHA256=1A7634426E097BABA21EB1CA2028EF9F062BFCABB3F2872359AE53C4578D291C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:02.810{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEA7D80C1C528E585C64BB3809EAFDF8,SHA256=B538471B686A423AD7949E7954743DC487CAD1A3E2BA0DCC28249B10D118E08B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:02.164{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA10B258FA67DE9BA9A87B9C9D200F2B,SHA256=D5D87669824E08E9387BDC23CBDE08CD22C87A97618B6E717677DFC6CE804D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:02.361{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D808A0D95C33D7677DAA775C86AFFA0,SHA256=3B7DE5D63364F5A94876434CB1FF67573B1420EDCFBF18A06EFFB344CD41A7E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:58.658{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-57715-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:58.607{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-26139-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:58.544{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-56066-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:58.446{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61744-false10.0.1.12-8000- 23542300x80000000000000001292711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:03.705{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C327CA6CA7CD0CFC0FCF1E899886FED,SHA256=4316A943B928E3303FE737CA80F77A6546C00DA2EE26F9BCBDA07A048FA5A854,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:02.747{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-20848-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001385883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:03.179{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B72570A54988CA56E510370801BBA6,SHA256=58429AFEBAC4C33BBEB28842D0B3DCC488DB76FDC0667414C37D9AF4C77883CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:03.440{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DDEE1089305D5A256CFAF0CFB4F23ED,SHA256=20F1F81012BA3E3A8782473E5D4D10D0A6A889947E2C0C07A20B2C365863F09F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:59.777{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6331-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:59.698{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-32346-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:22:59.655{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-3340-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:04.705{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F384FFEA0A171786124695AC00610E47,SHA256=0EFB9FBE5B1AC5C04ABEEC8C9B516BB073DE9D3CD09CBAE28A6393498CE337DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:04.194{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51BB4AB5B20EDE6A662147CAB3EEDA6C,SHA256=DC64062AF2BA4A668DAA935B8636435459FE1BD2D0EF4DCD52AE920BA7ACC3E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:04.518{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DF5987229630AC8CE09487BBEA7E34C,SHA256=1A8A04FEF75CDFC6A6FC6F5C698D48F016F915D3254B22F35BD4FA3DAC9D2B20,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:00.893{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-14609-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:00.812{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-38895-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:00.733{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-9554-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:05.721{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE216F2B04C32A818AA023627D6C5FD,SHA256=F398F1EB960EB141EB11F10166A253FF416AD660C9801005F6067FD432CE560E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:05.208{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA4BF4E4106DBEDBF0F33FBFF82A8CD,SHA256=EE6B86AC4CDC0F65CEC2690DC7FBFD1B92412101EBD72BF057CD3D41C29E7247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:05.596{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E115C0DC2F7AC7C0637AF9D37F1F685,SHA256=844E6EC7A6E4DB1F38398AC132F33DDBFE39858C291647788BA372248C2D5673,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:01.890{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-45229-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:01.811{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-15658-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001385886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:04.660{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse59.14.196.14-37091-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001292724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:06.736{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF1CC9B03A8AB9ECC917CE876CFAFE1,SHA256=1D45EFFDBC79A703D475197A0DDD4B470ACF9C4CFEF0D5B06E617A26C9187E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:06.608{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E32F073B810216124A03186EF0690180,SHA256=B7A2967A347CCFC586275815EF1ACA6D6137240F9AE448895E3FD57A8C420465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:06.223{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BDAEB81D9A6CEBA77AA5B9CCFB5E48,SHA256=CE51DC233950F21B4F10A77028398C05B9B9056E1B43ACA0D0BCFC121EBE97F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:06.721{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0D780D71DA43320173DB9AA0B43BAA6,SHA256=49992ACF1215C90670774BBFCB2DC6DAE2390093435B1556AECABA8DDB713F1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:02.889{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-21834-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:01.984{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-21820-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.799{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C7595BF6A5E125367999493D299F02D,SHA256=056A5507D515242B5A14A236FE5593A8F0F913A109488DDAB174A6CFF615F1BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.736{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C21F869CAC5F526ACE29480685DBC42,SHA256=433BB44B167139D4ABF073560F50493D124BBB23210BA6E124B59DA22350DB85,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:04.155{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-36927-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:04.093{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-57430-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:03.983{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-27995-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:03.064{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-29252-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:02.982{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-51193-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:07.223{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A553CB561C6B6C503B30754F2A970E,SHA256=DCA5F72E0B0C6D7D55ACF238B1E6FBF89CE49B13854A3BCEDE099FF4E31BF559,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:06.174{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59043-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001292737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.877{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CE5BE09536929056594EE693AF34E8F,SHA256=5568514A4BE8214B3732CA71DB049DE8DD2B062AA6FB4C7A42A9B769BA14C046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.861{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19C21BA9E170E5DF869B81F264FA169,SHA256=EA327E871AC54F3C68ABF5150F68E446654247A241D6F530A9DEE8909581E789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:08.240{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D584D4E925EB978E7ACD50BA037F0B,SHA256=17DD45950AF84A0F1B529E98A078710D00B20ABC16BDA2886F4FCEE37A7A8866,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:05.234{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-44589-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:05.171{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-4654-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:05.093{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-34334-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:04.416{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61745-false10.0.1.12-8000- 23542300x80000000000000001292740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:09.877{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05225D603A001110819AFB409BA80377,SHA256=E737F0941F180519D70AC8A27B5E67DCF29789B0E60D1F8B61577B08294E102D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:09.258{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6339E9DDC4A505D5EF322D625638218,SHA256=894735007394BCA161A4C5E813066AA01D1487E9295D459D88EF18C2B6043D7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:06.249{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-10828-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:06.172{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-40503-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001385911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.889{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=56E0AFFDA7315A1D48592C0E45B692B2,SHA256=25AC8915B94112069CC42B591539CC6C74A4568017BB6A644259AF13B6FC88C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.820{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DEFE-6152-9C28-00000000FD01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.820{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.820{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.820{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.820{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.820{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DEFE-6152-9C28-00000000FD01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.820{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DEFE-6152-9C28-00000000FD01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.821{5EBD8912-DEFE-6152-9C28-00000000FD01}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.273{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14F23FB6A3688C0A8CEF53DC1D2AFB30,SHA256=107859D34A369DEA8AB46FF270C3C93F9320834A41A65A6F990BBB7B8D4E6769,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.889{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-50597-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.854{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-3079-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.853{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-50439-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.830{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-50213-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.793{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-50060-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.788{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-2717-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.770{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-49907-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.746{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-49560-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.739{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-2469-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.699{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-2297-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.676{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-2128-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.653{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-1957-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.637{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-49051-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.629{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-1779-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.614{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-48902-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.604{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-1592-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.591{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-48757-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.580{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-1384-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.569{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-48653-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.557{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-1207-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.546{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-48442-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.534{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-59858-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.509{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-48309-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.494{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-59677-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.487{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-48102-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.471{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-59548-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.449{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-47862-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.412{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-47674-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.376{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-47552-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.354{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-47422-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.331{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-47291-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.309{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-47144-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.287{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-47018-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.264{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-46822-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:06.327{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-52002-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001385901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.157{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DEFE-6152-9B28-00000000FD01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.157{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.157{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.157{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.157{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.157{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DEFE-6152-9B28-00000000FD01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.157{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DEFE-6152-9B28-00000000FD01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:10.158{5EBD8912-DEFE-6152-9B28-00000000FD01}5828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:11.288{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379E48ACEFF5960111D47B31A751BCE1,SHA256=F98BBCEAB86A31B26843AFC608D4169FB4A0A038226F404AF7B2A3DAD1934E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:11.849{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5723MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:11.674{69CF5F33-DEFF-6152-8EA1-00000000FD01}24003224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001292851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.906{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-10355-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.884{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-10141-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.848{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-9933-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.811{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-9811-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.788{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-9620-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.773{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-55652-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.766{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-9461-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.751{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-55460-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.742{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-9147-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.713{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-55272-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.704{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-8943-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.680{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-8746-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.676{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-55117-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.656{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-8530-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.652{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-54760-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.633{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-8237-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.616{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-54605-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.595{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-8091-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.584{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-54487-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.572{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-7937-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.551{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-7717-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.547{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-54276-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.528{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-7452-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.511{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-54142-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.490{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-7199-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.488{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-54005-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.466{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-53857-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.452{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-7036-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.444{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-53741-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.429{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6760-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.422{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-53601-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.400{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-53491-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.390{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6637-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.378{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-53340-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.368{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6432-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.356{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-53218-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.345{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6236-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.334{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-53128-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.312{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-53002-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.290{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52795-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.256{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52658-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.234{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52532-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.212{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52423-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.189{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52306-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.167{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52213-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.144{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-52113-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.122{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51955-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.098{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4818-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.088{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51836-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.074{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4664-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.064{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51748-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.041{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51630-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.036{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4500ipsec-msftfalse10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.018{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51424-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.014{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4371-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.992{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4275-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.982{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51259-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.968{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4142-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.959{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-51050-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.946{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-3779-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.924{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.60-50861-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:07.906{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-3424-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001292789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:11.455{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DEFF-6152-8EA1-00000000FD01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:11.455{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:11.455{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:11.455{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:11.455{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:11.455{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:11.455{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:11.455{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:11.455{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:11.455{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:11.455{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DEFF-6152-8EA1-00000000FD01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:11.455{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DEFF-6152-8EA1-00000000FD01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:11.440{69CF5F33-DEFF-6152-8EA1-00000000FD01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001292776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:11.236{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6533562247216BFDAD17AFFD6C9F693D,SHA256=C5D944116FFB835C4EBECFBD383DBE38B1D9A7B8DCEE00F29B501C48585D4115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:11.188{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA3E83F4515137C8AEA0BD92D81C9FF3,SHA256=F840DA733953E3E11CBC2F6FE1218A07D01AF05E7696FF885476D62643DEF0D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:11.020{5EBD8912-DEFE-6152-9C28-00000000FD01}66485564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001292902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.852{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5724MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.847{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF00-6152-90A1-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.832{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.832{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.832{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.832{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.832{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.832{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.832{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.832{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.832{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.832{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DF00-6152-90A1-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.832{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF00-6152-90A1-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.817{69CF5F33-DF00-6152-90A1-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001292888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:09.387{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-13526-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:09.351{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-13342-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:09.329{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-13205-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:09.306{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-13057-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:09.284{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-12791-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:09.247{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-12583-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:09.208{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-12357-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:09.171{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-12236-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:09.150{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-12104-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:09.127{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-11930-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:09.105{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-11784-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:09.083{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-11586-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:09.060{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-11404-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:09.038{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-11220-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:09.015{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-11063-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.990{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-10884-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.967{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-10623-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001292871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:08.929{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-10487-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.472{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C58B33D8D903AA37F1840880AB3EB639,SHA256=B305BBA45762B8302368B309756243DDA0218D912680573BA0758252D184054A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.363{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58BACE0E2DEDC8996AB0F0DFAEA22F8,SHA256=AC445B3FAF0194658B890A2F7DFDA365637743F107C91672B42CAB01722C9063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.363{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=492B9BB6E41632B0E4AA42CA2F52BC7E,SHA256=79A5934D6908BF30038609E532EDD38BB691B11E8597AAD29C6D6759E9061706,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.347{69CF5F33-DF00-6152-8FA1-00000000FD01}24323252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:12.856{5EBD8912-DF00-6152-9D28-00000000FD01}67125700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:12.672{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF00-6152-9D28-00000000FD01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:12.672{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:12.672{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:12.672{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:12.672{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:12.672{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DF00-6152-9D28-00000000FD01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:12.672{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF00-6152-9D28-00000000FD01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:12.672{5EBD8912-DF00-6152-9D28-00000000FD01}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:12.319{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F25F319AB9745077B650F1AC471E87,SHA256=3F84C56C842ABA4D6DD44231003CFBC3ABD5DB6647D54B5236E4BCF070F8ACCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.144{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF00-6152-8FA1-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.144{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.144{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.144{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.144{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.144{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.144{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.144{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.144{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.144{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.144{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DF00-6152-8FA1-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.144{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF00-6152-8FA1-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:12.129{69CF5F33-DF00-6152-8FA1-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:13.703{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48FD8EBA5FCF6272C65676156D6D7D43,SHA256=4A053F9C31B471AD77718AB4B7667F6A348F0ED8D4F89FADDFA38BCBA1306A7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:13.387{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A0687D08D34F1595C711F449F901DC,SHA256=BF05C7A0053A72BFB0B2326FDE5D35EBC43BBA581F4015D594460ACB0FBABCA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:13.855{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BF5AE440EE76A5B2CEB441457224352,SHA256=F2E9DBAC62EB560EA03F2C2575B70218A781C6E9DA494EAEC95851B62F6C2BC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:13.746{69CF5F33-DF01-6152-91A1-00000000FD01}35123120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001292917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:10.386{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61746-false10.0.1.12-8000- 23542300x80000000000000001292916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:13.636{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2695F045E0B7D0D08B02E624C720EF,SHA256=00CD656B664CA250378A8C4220EB110BBD818DA7DADA26A25244427CDAC7FC77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:13.511{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF01-6152-91A1-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:13.511{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:13.511{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:13.511{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:13.511{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:13.511{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:13.511{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:13.511{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:13.511{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:13.511{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:13.511{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DF01-6152-91A1-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:13.511{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF01-6152-91A1-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:13.497{69CF5F33-DF01-6152-91A1-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001385933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:13.356{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF01-6152-9E28-00000000FD01}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:13.356{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:13.356{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:13.356{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:13.356{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:13.356{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DF01-6152-9E28-00000000FD01}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:13.356{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF01-6152-9E28-00000000FD01}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:13.356{5EBD8912-DF01-6152-9E28-00000000FD01}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001385925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:12.170{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59044-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001292946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.902{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF02-6152-93A1-00000000FD01}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.902{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.902{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.902{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.902{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.902{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.902{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.902{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.902{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.902{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DF02-6152-93A1-00000000FD01}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.902{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.902{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF02-6152-93A1-00000000FD01}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.887{69CF5F33-DF02-6152-93A1-00000000FD01}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001292933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.683{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60685CA179B9916FFBA03817F5FDD4C,SHA256=E07F239B0FF2A354EC133D109CD3290B45CBB2CF07DAA2943A72FF32783EAE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:14.957{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1406MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:14.402{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=289DA9D5131ABB8E4942C595A2B78718,SHA256=F841D802A73FE7271E18D7AF1296A705630CA143BF1672982335FBB529CE9CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.215{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF02-6152-92A1-00000000FD01}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.215{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.215{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.215{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.215{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.215{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.215{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.215{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.215{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.215{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.215{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DF02-6152-92A1-00000000FD01}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.215{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF02-6152-92A1-00000000FD01}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:14.184{69CF5F33-DF02-6152-92A1-00000000FD01}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001292949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:15.730{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654DBDAAB1953A98B58386B7F9B933AA,SHA256=C78020451299E7D6059702C4B95C1ADD7826B128C2B7C426B9A650998684D8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:15.970{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1407MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:15.417{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FDA00F3E90CCEFF51F707AE3A9CA009,SHA256=BA181723EBB6A881BA0BE76E68C9695B31DA529A76596A9127F8F6B01A107EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:15.230{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9F4ADD6825035A851E82CA529914D58,SHA256=1013D33FE15FB3132E3ADCE6566B334E669C7EE50A4BBE815D7BEBFBF8894EDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:15.121{69CF5F33-DF02-6152-93A1-00000000FD01}7442424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001292950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:16.808{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB5376B179AF93458A363C1F9430DD7,SHA256=6660944F268FF565181D4ABF8462E2C9F6E3A7410D9D68BB24DD9DCEC54B0C14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:16.768{5EBD8912-DF04-6152-9F28-00000000FD01}23885676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:16.584{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF04-6152-9F28-00000000FD01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:16.584{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:16.584{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:16.584{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:16.584{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:16.584{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DF04-6152-9F28-00000000FD01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:16.584{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF04-6152-9F28-00000000FD01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:16.585{5EBD8912-DF04-6152-9F28-00000000FD01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:16.434{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3C37151C64E33AAD815E2BADC5D3B8,SHA256=0DEFDF883ECB21858A9B30172FEC74C3BE323BBF2C96BF7F14BB9DFFF8371906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:17.824{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B21C8B2E446242D7990958A2DAFAF7A,SHA256=242B55B6418E20EACE96CAA683DB94D03F89DB22FA7E9A9866F97DD01CC159DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:17.600{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25046ECDB3843F3AA25E35DB6D331C34,SHA256=726D43D53A7820642F094E8487FFEBE49C8278EC01B6DFAB827568934A442DD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:17.468{5EBD8912-DF05-6152-A028-00000000FD01}11686496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001385958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:17.453{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C2BC1611C76249B40B03E5AB8752D0,SHA256=4A6952433861973151576B22AC8DAF980037659E750FEDE5C31E4BD08F430C5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:17.268{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF05-6152-A028-00000000FD01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:17.268{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:17.268{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:17.268{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:17.268{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:17.268{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DF05-6152-A028-00000000FD01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:17.268{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF05-6152-A028-00000000FD01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:17.269{5EBD8912-DF05-6152-A028-00000000FD01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001292952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:18.834{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64427427F1608CEFD8801470D250530B,SHA256=7544A83BFBE75A00D8B3AA56E1200A78B2B511A7A7449DEBD785A863F50955A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:18.468{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92A97518D83CE7351AE0A26D4ECEC54,SHA256=BC64F2E5261E64BFCE26FA08DF67933A858236BCF8FC94A01A60AC5BAB2C7D84,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:18.031{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59045-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001292954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:15.551{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61747-false10.0.1.12-8000- 23542300x80000000000000001292953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:19.834{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF80978D27370C90F57915C8911D878,SHA256=576C06D5CE0088B2990831C168DBD24852AB945E790A7959979AD937037514AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001385971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:19.982{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF07-6152-A128-00000000FD01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:19.982{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:19.982{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:19.982{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:19.982{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001385966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:19.982{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DF07-6152-A128-00000000FD01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001385965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:19.982{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF07-6152-A128-00000000FD01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001385964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:19.983{5EBD8912-DF07-6152-A128-00000000FD01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001385963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:19.482{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB76C16AD9B8CAB4C65EBC21963A22F6,SHA256=BF4146C6ED4C4F753E394E8CC3EC98978FA540E924E00AABC505D470DB59FAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:20.498{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB74EA0354343F660F798178E9F0BF6,SHA256=A45A98C12505984ACE044C64D5A69A94832E14DFF59D09266645207907DCE6FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:21.613{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13857F05833D4BB0791A99DC0C24C7E0,SHA256=1BBA96AD60B2B59B19FD3FD2429CF30F654FDF5C770B57A55EA45D879FED547C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:21.021{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB7897186FE01D870CE0671FAB89296,SHA256=ED961C243FCAC35BF4E8EADFE86D3CF85F85BEB01F59166E859C38F96F45D793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:20.998{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B62122003A91C2B2BCE774B8F92A95C6,SHA256=D243FF42923961E3325A6A74567B32989125ABBAC6DE2046B849A525C96390F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:22.613{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C730B7E421195FFFEA9AD817FF899E15,SHA256=0AD0E709040F9B3D28529C1F25FDE23C4E5B9EB5F6C72E3AE42462CC0897ACF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001292969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:22.505{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF0A-6152-94A1-00000000FD01}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:22.505{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DF0A-6152-94A1-00000000FD01}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001292958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:22.505{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF0A-6152-94A1-00000000FD01}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001292957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:22.491{69CF5F33-DF0A-6152-94A1-00000000FD01}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001292956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:22.037{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE3E73D6A95BBA13AC9F43D0D9F7048,SHA256=C12ED1DAA99D41194CACF51E20F6F6BFDC59CF3044D0669E39BCF96AF8282C6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:23.630{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AFA00A75A254AE34C08060A3A02AFEB,SHA256=6A373B7D807907F496FC9FDEFDAEAB0E0D705C2E0D4C18A5F1AA925CF82D41D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:20.607{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61748-false10.0.1.12-8000- 23542300x80000000000000001292972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:23.630{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB2ED04F6E014322016BC84C7B77BD0B,SHA256=7DEB17EEF75C1660157461024B55441DE5359C7CC94EB44A223B812F65331E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:23.630{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=885D9CD72042E4456CFC38CD39CE2E7D,SHA256=C8814BAC5439BB3A847B525C0722F37133D0ADA44D807684B7C94150647E4BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:23.052{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFEFEFBEE8717A196BB4846EE488D03,SHA256=D25589BA6B50A2F418DAA03FB48C26C8C6F00FAA1D9C703E6B25C170B7974F42,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:23.047{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59046-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:24.650{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1141E823D6D06356DFD10FE8398153F,SHA256=5CB35E02BD9F2E836387F677746AD34A2106F30469A117EB9B7B4A90FD7E2FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:24.068{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516CE6766C28578278B56D8CE2272BFA,SHA256=25EDEFA0CC088A001F70E70801E391E9588939A4C439347B7F42910576A826E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:25.664{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB95BE0AADFBA407265920FBFB03834,SHA256=77EA57B715F8EC24229AA532283F89179D8D3D828EBAAD50922360E72E6B9C17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:25.084{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A531EDEB09030D559524AED6F39F5927,SHA256=2E4F718A261D93AD6D3B6DCD717F50F3947FAB5CCB0BAF99B82A3D8019B70EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:26.679{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585ECC7D3ABCA99841CAFF7F1C70F455,SHA256=9F5124384FFD9E51339565F67BB97E360A94985F2329BA35422136502786349C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:26.099{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F847103B5DB86D09E95BEE586262AC78,SHA256=E51AB9B02BAE7B7838B8FF18478C40A3E4B4853A1538A4574DA5E0C0F191CA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:27.710{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDDA7653E68399CDD2EB9C5FDC327CF,SHA256=45BCFAB1C2314AE0F8D82C4367424FA49F99362A1E6580A5AD84713E8FFA07A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:27.115{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4B7D550E7AAFD8C2326D172F18B192,SHA256=6DD67477F6CF253D1E11341D3F31749DAB4F2E7CFFBD7883A6DD3ABEF7522A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:28.732{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88C5CE868675F2E64104438637FFB55,SHA256=7B90DD8A1AF84F256FEA2DFB34B7F1BBE98B3ACBBE6719D87BE3BC25D13DF5C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:28.115{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=372A72B85AE082185777A78F5A7D215B,SHA256=D30966169AA1737B3B84EB5F647FFBB59BCED08B78E98E3BEB8827F8C8276B6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:28.091{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59047-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001292980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:26.482{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61749-false10.0.1.12-8000- 23542300x80000000000000001292979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:29.334{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37B469DEC41B59DB792E35288339AE5,SHA256=B02036109BA2EF1FC2AD8BE6B13420627D2A8EE77F8086246E3AA9167E2C71B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:29.746{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=408441AAB2492D7D5D54E4D96F933BAF,SHA256=3C3B470814A63389F06E42C4A164992A80429B9A20BA0674B891B59FD944FBDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:30.552{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3955909611AABFD494EFCBF413BE641,SHA256=1EF175CF7459EA0783F1C1996D0906DFDCE4F32F50A04D014393C484B7951D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:30.809{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909DD3D4AAE0DAE9579247DC1560F5DF,SHA256=045F68627A89A6170446BD81679D528EF834A420954B5629109B41C657E9BDCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:30.678{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA1CB59037FA1704577AAECC7FDE6FEC,SHA256=DF29C68C6DF645699F095AADB69C051E1AD32B192951F1044E4D1F99B195D793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:30.678{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DBC1FFF78888698DE60FF08E7282828,SHA256=9C122581EE09056388922AAA035822CA389DA34E855773A132C9B48D984E6CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:31.740{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E318FC0C1EB63E56BA646396E91DE8,SHA256=36A26E3C4154689548EB0E9903D9350752F1E0D711E3F9022BC828DB226B26A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:31.826{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE1F9304316A07E966C4153FAEAAD8A,SHA256=E8CA37E5D79C1258219AE5224054348D1CE07520A0B231355AFEF5DB5E59324A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:32.861{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8919748484BF7C421A37E9DEE5FF8767,SHA256=1A3D6A1DAA364E82763EB32BCE0294875C026E9CA806DB3787C4FEB107E98511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:32.943{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AADEDBA2BA447CB4A42AA3FB99FF5B28,SHA256=D5EC5494AE27937B68F1BF85332884C2B67C497851644623EF5CEF1757ADF8D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:33.875{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C113628850B3578359A4AB76E2C1C830,SHA256=651F0532C412155AFDECEE3D1088FE8D8ECC19E6AAFCDB33007218A6ECA62983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:33.959{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60582534A7704E38F983ADBB18555D71,SHA256=91FDCB49B9BB9DAA5FCB97CE3A5A39AAAFE2878050BA741640A8EEED4D10EC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:33.552{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AFA2487C7334616A837DD6F03F72DA6,SHA256=7FC944CAF7BE015D4652FCAA5AF033914DB5A687548B03838EDF17A69AC9D020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:33.552{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB2ED04F6E014322016BC84C7B77BD0B,SHA256=7DEB17EEF75C1660157461024B55441DE5359C7CC94EB44A223B812F65331E4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:30.316{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com38864-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001292988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:34.974{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2771979D11CCC4FF92E1A641B382016D,SHA256=4E2960B031C7BC99F6D58916F0CC04EBE27C24309E8BBF4077BE5D702689C242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:34.890{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E79C4185E85DB52B5CF0B27193EF92,SHA256=50562249CB10EC6F6DDEDD2AA94C0BA09F57CA86EE722EF054EAB1FE8C12A994,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:34.120{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59048-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001385991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:33.578{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261750-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001292991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:35.974{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16448860253B53C2EA1E4EF48291A96B,SHA256=66B4F88EA421FE550C08A3A99EEB57185DAB094FB4EC5EF60EA072745D3E7F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:35.904{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCDBF9FF0945FDF0CA14752F96B9197,SHA256=61267A31F0397CAE8F1B2D68C4C5C5F4F3250743E8182EF2360F27206608AEE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:31.576{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61751-false10.0.1.12-8000- 354300x80000000000000001292989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:30.887{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61750-false10.0.1.14-49672- 23542300x80000000000000001385995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:36.922{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE86C4C9A2C17F114538E26EC567B489,SHA256=B15624C954058F5EEA40169E975DDFD169B1E0D42C474A3B4BDDE279A1584519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:36.990{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA14E6ADA24CB94527C6291E635723CE,SHA256=AFCFC1129ECB18C11742F495F781D35B8F7E30E227B385E43D52315BBBEB1FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:37.973{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8ACE1071655D435A24B8E5FB1E2659,SHA256=FDD34FC4685B00119BBBCA145CA6979EC7608C0F716D3C37D6B1B99FB4BCC7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:37.990{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A9B7BD085A8E1FBD7FDA8400984DA5,SHA256=CBC1484357E72CBA9DF5B61B97FCDC891372691F223F523AC1D8762169AAC08E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:38.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736A00BE6F5AF2BAE91A56B3C160DB0E,SHA256=95F2BEAF663F9D1DFCBFC6E624392076E4407E2ACA7C3B3D6A60F67270E9F61D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001385998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:39.171{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59049-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001385997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:39.004{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9011925AC2D17F33CC67C48671A6E76E,SHA256=25318D7DA806D4CB0BB55A2CDCF6D4363D94DAE2F0DE7538AF6F3FB4AEC2D2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001385999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:40.022{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5AA2FC850C5B8DB6F6702A946D1987,SHA256=F67EC780EE956289D45A7273808D066FB1341C4E268BABA9397DBD8BCD561E82,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001292996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:37.548{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61752-false10.0.1.12-8000- 23542300x80000000000000001292995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:40.009{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D548F0B0D45BC2269818E29CAE0578B,SHA256=1CE9E3C6748DE2BF9D66172D154A387CA0F14AF36C53B68C9A174B2C5A260DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:41.039{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07163B422D5F7C9AAEB43F500F4ACEF5,SHA256=A6AFCADCA18735517D80AEB1084758639FA98CA66DF3BFB6180BEC4307F57220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:41.025{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE5617037666798E2382C303916EF96,SHA256=5993D14C6440BE4282041D772B5A4A88C43C4581AF380C954CC6D6BE0DCA1388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:42.154{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273FD48FA7DCE9D6B3A5681E4D00989C,SHA256=9DE460EE5E7708C4C16C58C234947FCD7241529F0989EDEC14CA3748CDD9AE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:42.040{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA7957BA7E047550E8F630F61DAA173,SHA256=2894BD9A065194E5DC88F9C1B28588D4298E50F82C3463098F3B0E22B775ED04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001292999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:43.040{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8D7840AC0D359930CB2CCA6C756716,SHA256=B934D303E0590ED215F0CC03E60C680BF54D857ABEDD703FF6020740CD321FE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:43.113{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59050-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001386005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:43.113{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59050-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001386004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:43.184{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F827106E3484B1D4FA2F4B6BCFD3274,SHA256=7C0202B223073EFF1EE380C6E0B1BECBC9C69AC4860FB1EF19637B474B75C8D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:43.137{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A7A80786B14FF8B06E753DB23D02015,SHA256=E54B9B6070E7CF41D766ADFA174359E0C191ABB8230A9ECE9972FC3ECF17DDF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:43.137{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA1CB59037FA1704577AAECC7FDE6FEC,SHA256=DF29C68C6DF645699F095AADB69C051E1AD32B192951F1044E4D1F99B195D793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:44.368{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2DC83138D2655F6279710DF4E9E60B35,SHA256=993809591A8CCF8418F282CDD1BE54EC8818F9C72A0C472E6C2A1A3178276095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:44.056{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2447B91909F8DFEB6735FB25A942935D,SHA256=9A72DB186874F342AE9C9F4E2508367A2284AED76C544A738414E8A1961DBDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:44.199{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08DDDA4E993EF69BCF4C11EFE23A74AF,SHA256=E040C56F82439BFF8F21A640989EB0203B7FD10F06A2D9EE93D30B0D0917A0DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:45.212{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59051-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001386008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:45.216{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CAAEF4B61B485DA00FEB16F5308A00D,SHA256=65CFBDB4B225ED6BBBBB55EFA571A14227D9323CFACD108CF9A9D863816E163C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:45.072{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC1063B1BB16472591EF7F7F9787630,SHA256=09272CA135742D351DCDC8ECEF685C39F1A38834C5D37CA88644476DEADB282F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:46.234{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F40901220079676444B729E8EBC7E7,SHA256=5A82E39118C99D795FD46F59E99C53D83883A712C6FB75B7F6C668432D9B2A12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:43.392{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61753-false10.0.1.12-8000- 23542300x80000000000000001293003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:46.072{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED62774FCA79D127B8F3C6FBC5E590CD,SHA256=455007678A33DA6D6506E3B494B53505F5C47A05AADA10FF28E2A2184E0F343A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:47.290{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:47.087{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52177333FC2967A632FD5404E378D07E,SHA256=6AD01392E4F057C299E6AB81E011908F3E550B1E2D60AD015FAA2A949B7C42C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:47.815{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:47.280{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456FE1186C390036E3F221B30FF4A2EC,SHA256=64D01E19618AAEF78A40CB6AAAAA743DBC34AA9D9E746A1D33A06B460A020B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:48.103{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B0DB2D16AE79FB3DCED2E121DD8F29F,SHA256=F46052BE3A56AF8EA7300290878E5C796036F59EB3D389FE369BC31122C87E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:48.294{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB33E6D4AC4ED9985BD1F0D4096086FD,SHA256=35D57DBA7C3EE099261F0BCC8F3B7BB68BAB92A6A28B012CEEC2AE80CA1C681A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:48.792{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59052-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001386014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:49.312{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D01F1CDE62FB54F7287CE88A7661F3,SHA256=B27547F635A51CD50D2209FCC3B39A244586DE0E7A8F3CAD64934533A42B4E60,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:45.626{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61754-false10.0.1.12-8089- 23542300x80000000000000001293008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:49.103{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE5000CA41C594E1C6118B864165C32,SHA256=0E865D3ABF398E3710A131871057BF3DF395C0891C339E94F52BE7F221B3BF69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:50.314{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6174D066EADB1CFAA96D424A739201AC,SHA256=7E4DAE7DB54DFBC82BBDCEAFE6692CD63A52073C0763F99B0F0B978A33C7B9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:50.103{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3549BAB509B8BBF670329821C09CFA1,SHA256=A4E68FEE1524DE2E92A0EAB77C35A88186B3FAA377843625996BE0403380F5C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:51.328{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A824F551A3B17B8317908988297F820E,SHA256=DE018013936CE7B8CE08E1CEF1AB10A36E1EA7C8D4BFE5C2EF74DF4A83290AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:51.118{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E4DBA8112D9C8D7A0A7652D8900FB4,SHA256=E62C2558614EA37C0016091E4521AAD8E44B930FFF76556D6B751309D3C9FBA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:49.439{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61755-false10.0.1.12-8000- 23542300x80000000000000001293012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:52.134{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFFBF994B1026DEB58A2CC1C5344EAF,SHA256=6B453206976FC0B99291A4E2639FE98AB32ECC45F9E40A92821C240E600DF95B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:51.058{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59053-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001386018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:52.343{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE941DB9275A61D9D16C826F926297F,SHA256=6EAAEF25DB7A4CC5D2FC569E44EBB7039FD13F4BCD55D260CA865474EFE795B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:53.358{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C6E874A24B85B774C30A3012516769B,SHA256=6C36109562E07A448C6F5F2F33288488990B7F84BB1C14F55A92516156DE5176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:53.150{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2EF70B55083491581954A0F02072F2C,SHA256=21A7073527FFE3B5071109BB66F4D70748B07CD38B89D1CD86EE1A7E9951887E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:54.373{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0BAEF9DD8096C33DC6DC739DA762786,SHA256=B5BC20AE2E974D47E1CC09DA9B5D3AB74725426DB0878F9150639AA054734CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:54.165{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB9EC672C8D26C85479F8C26A4EF97E7,SHA256=85B28C03EA2D1908C175F64B24F1295F8C72F4BDE5EEC604D91A27D2684BD119,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:55.051{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261756-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001386022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:55.387{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A7CA92D00BA2C358A9A1F9AA632F6F0,SHA256=5A5C8F95FCFE66C622543C905BB2D1B345E226A6C7F19685A1160819C2B051E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:52.280{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-3794-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:52.242{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-3685-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:55.165{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362123CB4EE2E17A15E1FD35115467A9,SHA256=4720F06457F0667D30425C1BFC6D1213976A17B392779608003F71045C388A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:55.025{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB3C767AC6ADF9C7578AEBCD832AFD95,SHA256=41B6545BBB52A2BF915A7EBB598FBF533C5D40A10333AB846E672CAF3846CD21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:55.025{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AFA2487C7334616A837DD6F03F72DA6,SHA256=7FC944CAF7BE015D4652FCAA5AF033914DB5A687548B03838EDF17A69AC9D020,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:52.360{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61756-false10.0.1.14-49672- 23542300x80000000000000001293022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:56.181{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B74957A83A1D3EA7473A1B91372D96C,SHA256=DAB6DB1A6EDCCC190B4C93BA9805259913FA6EC40D7263A0561C760C118369C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:56.387{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851FF0EDD8698DDA09C04B410884933A,SHA256=6CFB0ABBC5031D006D8AF5B922C645C95E5A8BFB278E4D6DC1349057F749972E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:56.103{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB3C767AC6ADF9C7578AEBCD832AFD95,SHA256=41B6545BBB52A2BF915A7EBB598FBF533C5D40A10333AB846E672CAF3846CD21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:57.408{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3788C15ADCB896D498479293A96018A0,SHA256=5CA1AEF7D7B55CF63C812B6D5FA9B9B77156F88308CAB6270C4F6857956D2746,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:53.396{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-8211-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:57.228{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5FD1C3CB3BF95531E8F5F48244703D7,SHA256=166CEFA74286B6EF3086E8816C6F8B5D795C244AA5405207EF4DDD1EC063E31C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:57.181{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E654AD51433017BBF548F93DD7EFCA5,SHA256=A7CFF62B40909C6F9A06ABE395B13EBA689EB6FB58E3157E5A62B757EBDDB12B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:56.185{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59054-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001293030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:55.470{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61757-false10.0.1.12-8000- 354300x80000000000000001293029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:54.489{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-12478-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:58.420{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=796091C71ACF1BCBDB138DF42642EC9C,SHA256=90F7217FD9FA0310FFA98A52F5661B5AF3A67450C273FAA8CDBC18F5D01062E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:58.186{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A293FF1ABB2FCA244EAFB601FCE6119C,SHA256=05AE676D8F46AD8A0DD3FD550CCCD14127987730DAE279A0A7A83262CB23E1C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:58.422{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A34144BE2AA1302CDCB72F1B4DCE2FD,SHA256=72FC6D7E0B561B95B01BD4CB1D187C9CCCCD2DD407BBBE7A98EABE80213BC6A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:23:59.437{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE13BF937E7530775C79DEE09340445E,SHA256=1F992E81EF2560B4491C70C1F9232F39C1973B8A2896C8E493A5C4B62848F52A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:55.673{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-17172-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:59.498{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97C35D84969DB4FE563009FF34D27023,SHA256=719B8192C4197CFBB918D92FCEE6FFF8918C711D445164750092906FC36377A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:59.201{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9C4A3140A961BD130205ACB7EA93E7,SHA256=82133819992B5F49B5E3135561EB6FBF2735B2CCCCFA4A962B350282C5AA5AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:00.452{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D64C9EA12808548A480414ADF59B069,SHA256=DD92ED90F30EA42648B2849B0C1E54FCDB269F7B04B1B7A15DB6188863C3FB33,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:56.792{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-21679-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:00.623{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A08132EF69C7913CD1AA3A901497B7D1,SHA256=2260EEFA190BC8C5B86A6247B99E34FA42371112A56AB6E5CCF23D9A0C342138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:00.201{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62AEBCC35752E63D1FCD514952156FC,SHA256=F523741F57FE690003768D95FBF0D5FDD144D8EB113099901980EAB83272B610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:01.482{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A7057D5CE48F77057FFDCAB3D1665E,SHA256=4412D7852FDE64A94B903DBA6D183FCA8881D66D5B1353046B52FFF2C72678AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:58.996{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-30239-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:23:57.883{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-25928-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:01.701{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=273613175E373CE57299232AF5D87842,SHA256=CB0DC5AD7BFA529F694B70A327C18AB3D85D0BA30E1B5BAB4C9E1E5882BE5EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:01.217{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7C5853B72399AF006A5379A623E379,SHA256=D602C3728103573A62B69AA867E4DD5D372DD74E1E7186CD722A74B5459F1C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:02.483{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E686F64E832DF95E9E17E58C1683074D,SHA256=94FE8D62CF3DD032648A6F7CAD3674595CA287159AE73920D38C1AD1DA8C7F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:02.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2431502F2E8213579A5BDB99F6A5010,SHA256=B3DA264F054CBD6A1E244C820C0FFE753EBE7E27A900EBFEF81E314C0EB20722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:02.217{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E9E4CF98FE9BE8ED24E3901F523F57,SHA256=1B52B4AD5D4C3C0BFE7BF2C7EBD5598304E64EA0554262D95BF7265A8F99EE58,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:01.098{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com41930-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:02.036{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD0EDC30DDC8DC33AD5BA0B4B4B8F3B6,SHA256=089D5CC630D147CA05AFF04A1F435425372FFFF444028B6BE8CDCD4E671F61BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:02.036{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A7A80786B14FF8B06E753DB23D02015,SHA256=E54B9B6070E7CF41D766ADFA174359E0C191ABB8230A9ECE9972FC3ECF17DDF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:03.500{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE0E5085299278FB75958CE1C5A045F,SHA256=AB1F2A481ABBEE3896E3EB28BC90733AAD9BF311C8CC095AE5E4555F9C8093BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:00.073{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-34654-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:03.232{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460DC41637789A06CD045523675C0A10,SHA256=2EC6CA074DC014670BD7C4CEDF1F485838346B90EA42CE88564A12410CF13970,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:02.095{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59055-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001386037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:04.519{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F1097F765A50A88AB3C113634320BA,SHA256=4FB37C52586A348C993F3CE65BD06A00EA6AC8C6DA3254012676D06C024FA71C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:00.490{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61758-false10.0.1.12-8000- 23542300x80000000000000001293046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:04.232{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FA9F04DA2B1A10D6C9D0E5AB29BD24,SHA256=D5EC6B5697CCB6755C2F7AD63481818F744D71B941D3C2C9D3EA8A5A60174232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:04.061{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6DFE2D268F20F25BC2D68A4FF6C48E5,SHA256=723CBAF76305E5AB1C912C664B6BC36309B4D21990443605329ADB9BA94BF59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:05.551{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFD28FA5C4941C5AC27820800259798D,SHA256=FF14DFF1322CAE9412FE8DB97BA4E709E79518BBD43A1A529449C289EC442BFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:02.432{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-43840-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:01.315{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-39318-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:05.248{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF49263AB74C986E991905D2046A17F,SHA256=4E38F9C27F2D3326CF9F3853899ACA020E22571FA1A365DF2E55075C75588FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:05.139{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9130F91C77ADE312820389CBD8AAEA7,SHA256=FAA81B6E29AF343C0F1E7B389AD3C4D4DE34B5A41336F898E1DF34CF6FD429D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:06.600{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16255532579B06AC3A3A82EE27AA92D7,SHA256=07AFB989DF6376DB777A58F9719266D169485C3FDEBD85B2012436A7D07B7F7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:03.511{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-48322-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:06.264{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7FACB946323ADF1DA14A3A8202CDBE,SHA256=FA525D7C3F4798960E916A0A026AECC68211BC80C601AFC36E20CAAA64997C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:06.217{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=625FB693EEE98DC29F53616C21A36527,SHA256=1B3D0F78CDB93F0688F142B39704AA21642D88804397A85082385165C4EDECDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:07.618{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F4731C14E293FCB6426C7047335EF6,SHA256=C2F586AD10A4B627A8F7FD67882071974EEE51FA163496AA1FBAE15DC180CFAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:07.295{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61C04F78BDF1BC9BF5FB4011331152F6,SHA256=F41B98460CF9D7D8A4E45F24014ECA70C1F3A380A1CEBC7FE59AEE664E81A386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:07.264{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476C11F9F690B2903D448A07FC11F428,SHA256=69DDC0E1C1784F7F17CDA554381FB0CCE4C1A11CBD5548B5713E5406893FB0C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:08.648{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85701CEEBD59B48249139E8F220F2CE4,SHA256=B14CE20AD091E37708375DDA5C6A820D47A7015893228CC51089DFE058CA0851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:08.467{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8243D2F365148353588D134C72A5EF2,SHA256=FF1EE13512B4EE311CE284884AB23ACC94B99F5BDF406CAE9A42B2294917F102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:08.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD00320E26E60984635947CA58C01EF6,SHA256=9EDB8C2E19BF30098FBF55725B1284AA1C76B60561A185EC488EA40A10052CEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:07.132{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59056-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001386043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:09.653{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83CE804C9CC36B252B4DC467DFC050A,SHA256=10D731984355214EF868F1EB854F32C415364086282436BA5DFC5819E6A6AA4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:09.545{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C37DB219565ABFAA2E34F5360FEBEE66,SHA256=22F7E4C61CFE6D8EAE19447EB236D9247BFF8752C6B908D5B3916641563A80DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:09.295{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C27129BE1E2A5EAB36AA9EB8CE6D1D47,SHA256=3880A330DD213A2D39EA31CEF89DC8C26918D5A9C9471711358C7609B94D79CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:05.712{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-56948-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:04.588{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-52582-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001386062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.996{5EBD8912-DF3A-6152-A328-00000000FD01}10206572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001386061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.896{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F76CBDD6D197CE8370DB9C62EA848AE5,SHA256=A48973FA819188AB46DB1C4847CAA9050C1AC65719B9D5C26B1982EC0876DA06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.834{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF3A-6152-A328-00000000FD01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.834{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.834{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.834{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.834{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.834{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DF3A-6152-A328-00000000FD01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.834{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF3A-6152-A328-00000000FD01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.834{5EBD8912-DF3A-6152-A328-00000000FD01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.679{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B7E54CF2BB881E365327D558251359,SHA256=4F8B119C02C984B6CCD745B1425A0772C784D8A6E33DF3BA5338330C210C3233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:10.717{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EC2E542272080C4772F2917F1107676,SHA256=1A333AA45170587A14559EA5765B7177B8A2DD2BAF3AFE3AE84A62D68F4068E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:10.311{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D67E4C2AEB980EA7A1F07AB2FE0B21,SHA256=4A57F6489D18AA160D3CBE3255CBBFA1FC670B23F2E27A08CCEBFD782763876D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:06.839{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-2507-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:06.428{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61759-false10.0.1.12-8000- 10341000x80000000000000001386051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.169{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF3A-6152-A228-00000000FD01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.169{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.169{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.169{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.169{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DF3A-6152-A228-00000000FD01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.169{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.169{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF3A-6152-A228-00000000FD01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:10.170{5EBD8912-DF3A-6152-A228-00000000FD01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:11.681{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C010A1EA13616F99CB89F19BC5286CD,SHA256=CCC60AF27B88BCAA23B56E6220BEAEB169B06C45B3A956941EC4FD93FDD14A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.967{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D32D1D28E37B9AE82D8C460CAFBD1F4,SHA256=356EF604AD8548321A3853114EE704605FB9526B9465AE0A88E05D16A6FA0227,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.670{69CF5F33-DF3B-6152-95A1-00000000FD01}10963548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.436{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF3B-6152-95A1-00000000FD01}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.436{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.436{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.436{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.436{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.436{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.436{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.436{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.436{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.436{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.436{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DF3B-6152-95A1-00000000FD01}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.436{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF3B-6152-95A1-00000000FD01}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.422{69CF5F33-DF3B-6152-95A1-00000000FD01}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001293067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.311{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3D366144A8ABF754C039CC9E9C9A7F,SHA256=AC02CAEC79839947544ED5AB0421232AD33EA7966280A33B14C5B5E581B5F02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:11.181{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3127D3A5428EB4FC6E03371FEA11BCC4,SHA256=3A94EF5E46404C8819B019BEA142670473558728CC87105C9F2FEC7AA7C49C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:11.181{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD0EDC30DDC8DC33AD5BA0B4B4B8F3B6,SHA256=089D5CC630D147CA05AFF04A1F435425372FFFF444028B6BE8CDCD4E671F61BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:12.695{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F113247EE8D9B05F27F1F2908AEF14E5,SHA256=D06ACE57D4B1DBEE12673BEB50A41E778F8FE25DB4BE6B21BF0D6E6A893CD3F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.795{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF3C-6152-97A1-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.795{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.795{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DF3C-6152-97A1-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.795{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF3C-6152-97A1-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.765{69CF5F33-DF3C-6152-97A1-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001293099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.404{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE6F5F236DCC9693DDC0D72D830F91A,SHA256=FF8D5B7CD024DEAE3CD468E50726626610AB487D3FEE6F6B4FDE04A80328D6FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:09.101{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-11464-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:07.982{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-6859-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001386073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:12.680{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF3C-6152-A428-00000000FD01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:12.680{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:12.680{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:12.680{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:12.680{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:12.680{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DF3C-6152-A428-00000000FD01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:12.680{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF3C-6152-A428-00000000FD01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:12.681{5EBD8912-DF3C-6152-A428-00000000FD01}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001293096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.279{69CF5F33-DF3C-6152-96A1-00000000FD01}3400956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.092{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF3C-6152-96A1-00000000FD01}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.092{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.092{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.092{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.092{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.092{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.092{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.092{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.092{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.092{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.076{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DF3C-6152-96A1-00000000FD01}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.076{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF3C-6152-96A1-00000000FD01}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.047{69CF5F33-DF3C-6152-96A1-00000000FD01}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:13.716{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2EFED11D746F882B5E6CB349487DD8B,SHA256=E91DF26CE169225E7A128A63CE252D5D8EBE137451A570594806C4DA7E0C6AF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.658{69CF5F33-DF3D-6152-98A1-00000000FD01}30441228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.486{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF3D-6152-98A1-00000000FD01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.486{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.486{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.486{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.486{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.486{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.486{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.486{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.486{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.486{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.486{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DF3D-6152-98A1-00000000FD01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.486{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF3D-6152-98A1-00000000FD01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.471{69CF5F33-DF3D-6152-98A1-00000000FD01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001293116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:10.338{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-16448-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.382{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A45E405D53002A6955E5FE1498114F,SHA256=55D08AC11D81AAC618BDC7AF57648F18CE31CF58C99E090E466624F0D11585F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.377{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5724MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:13.694{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3127D3A5428EB4FC6E03371FEA11BCC4,SHA256=3A94EF5E46404C8819B019BEA142670473558728CC87105C9F2FEC7AA7C49C85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:13.532{5EBD8912-DF3D-6152-A528-00000000FD01}70682892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:13.363{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF3D-6152-A528-00000000FD01}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:13.363{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:13.363{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:13.363{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:13.363{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DF3D-6152-A528-00000000FD01}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:13.363{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:13.363{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF3D-6152-A528-00000000FD01}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:13.365{5EBD8912-DF3D-6152-A528-00000000FD01}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001386075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:13.031{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59057-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001293113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.047{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8219634C7FA8BA8B3090CA0B46E959B,SHA256=0BDF458E2F6374260B8BD11B3DDEC566DF53EDD8295EA079B538E655DCAEFB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:14.737{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF70164079F618E1A552A9326FF8DB1,SHA256=72978388CA5037919EA1B3199FE91601EED04ABE4F158FE78B15565DB2A653B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.859{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF3E-6152-9AA1-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.859{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.859{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.859{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.859{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.859{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.859{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.859{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.859{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.859{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.859{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DF3E-6152-9AA1-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.859{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF3E-6152-9AA1-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.845{69CF5F33-DF3E-6152-9AA1-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001293148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.656{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F593BE065AF4CD0BE3EC0DD359236040,SHA256=979EC09BD75FCC9A5A0C84BD074DC5B8A7D3E301C678B9729074F3E63A0DEE81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.461{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61760-false10.0.1.12-8000- 354300x80000000000000001293146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:11.434{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-20745-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.378{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5725MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.173{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF3E-6152-99A1-00000000FD01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001293143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.173{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8280DC3D2F2A0E2B52027D2AE3CA7A18,SHA256=CEFFB80189685A70CC4C7C0D6D5460E019BF0A5F95494C776FAEDF1EB310A867,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.173{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.173{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.173{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.173{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.173{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.173{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.173{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.173{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.173{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.173{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DF3E-6152-99A1-00000000FD01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.173{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF3E-6152-99A1-00000000FD01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.158{69CF5F33-DF3E-6152-99A1-00000000FD01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001293164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:15.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB3D12ECC1C61BDF1DF8CF6DF209D96,SHA256=CB3F5F9883271037AC4235B7A07CF3529669773EB016B524EB996706A245067B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:15.394{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14DB47FA2457C48C3CA79963C022A015,SHA256=FF191AC0EE756B58C7314A1BE7BE09B990DE978D899A9F47F27682712C49C687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:15.767{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E577A23C29C0B2681212AB0DB1A5955,SHA256=C8226FDBD1472FB27CEA059C0177AFF9C2343C2A971BEF0636566F1BE6F449DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:15.050{69CF5F33-DF3E-6152-9AA1-00000000FD01}9362432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001293167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:16.472{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CC5912F6E447E061BECC080EA3B0A83,SHA256=763E3C461E2119A3DE7A0F07F6D7F4FE025556DCC3EF050A137506448AAED1B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:12.545{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-25001-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:16.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2F201684B805A0BA6EADD77CA3E09F,SHA256=E1D2BDF8C40A0B68085210817AC63EF55F1DF8F6E96BE81A6EEA992ABABA5AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:16.799{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90537761247D710B3A6C99127044087C,SHA256=FC6DE864FEA6BA548EB45902E233E86526605D7A5B0F6792944E862470CFC6D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:16.783{5EBD8912-DF40-6152-A628-00000000FD01}33604608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:16.596{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF40-6152-A628-00000000FD01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:16.596{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:16.596{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:16.596{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:16.596{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:16.596{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DF40-6152-A628-00000000FD01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:16.596{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF40-6152-A628-00000000FD01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:16.597{5EBD8912-DF40-6152-A628-00000000FD01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:16.501{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1407MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:17.820{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D38F82AA83762B170F62AF2D6E70C6,SHA256=3AD98CE699414C83E2B73A5CC1AA460EAC29C48F8CAE73C17D0127BDEA815D14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:13.782{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-29852-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:17.581{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379B1500E5C2C0AE30FC7FEE004E6FB7,SHA256=085804A18710033980EC465BB7A681F93B302D2B61F04334BDBC8506C437E804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:17.566{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A86D9D2B1E3EEA43A7D101D5CAC7293,SHA256=4B42845FB0949C6C2605EB2536637132475EA8249DA3394E523B94A1828BD205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:17.618{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA862B8886959CDA55EBBBD1A1CAA976,SHA256=CDA5B9A106D3F87D13CD18FC5247346C6180458E6A3CDDD2A16E6B6857E5EFE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:17.515{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1408MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:17.451{5EBD8912-DF41-6152-A728-00000000FD01}28046304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:17.267{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF41-6152-A728-00000000FD01}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:17.267{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:17.267{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:17.267{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:17.267{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:17.267{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DF41-6152-A728-00000000FD01}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:17.267{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF41-6152-A728-00000000FD01}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:17.268{5EBD8912-DF41-6152-A728-00000000FD01}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:18.851{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5271F6D09F69D7FEC0E1D70E7BBC9E8,SHA256=B3C00844F096B3F65D7EFF8C5F5FAB8938B9E94DAD214EB7B44B7A3EE4876E81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:14.860{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-34173-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:18.700{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E3E1FB91E9724433E7545AA39A2077,SHA256=3F728B3371F3F3CE86EAB7D2885D60B6C558328A4FBDC843DD3B633A9B820CAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:18.211{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59058-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001293171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:18.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7470F4D9C71473CB33A4A154CCE13EDB,SHA256=6FC8BD40E2BF848173565D400733FDAF56540CE834B08405E88B1497A8301C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:19.794{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BEBA8788808E82D20EF7EC51A9AE1D,SHA256=6DD34C1250AF76D985770052DDDFDFA94D2870DD8C7966BE1A5FAF97A2599401,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:19.981{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF43-6152-A828-00000000FD01}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:19.981{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:19.981{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:19.981{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:19.981{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:19.981{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DF43-6152-A828-00000000FD01}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:19.981{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF43-6152-A828-00000000FD01}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:19.982{5EBD8912-DF43-6152-A828-00000000FD01}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:19.866{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617FE298DE21EDD03DAF87FA7DDEB517,SHA256=15E8F5125DF43F6D605E61181DAB316586C22070379BD918720082DD26E8DC8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:19.731{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEA741DA1168FC4B63558DE77A940086,SHA256=CC634AE704EB7AE0428F232C0E27D7DB6E1D25A7B86CEDA221422BC26820EEF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:20.981{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBB44CFC0108C84FE1851F551A7AD37,SHA256=8EBDF93CF61844A4DD6B016DC921D30DD0B139666EF80862B07F14C93BB9B080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:20.996{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B285859E3AEFEFCD6EF22D803F2E279E,SHA256=20F55AEB8F13F8AC6B86D6AD9DBF1693311C56924999D814B0A996D1B25F72CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:20.880{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B46DA852E899290D98A828665B1312F,SHA256=3D23496CD9E795B3A7B3287C92B5A68C4D61DCCA2965BDD13CD2B0A61D572EF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:20.856{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE0DA9E61ECA4642443936DDCB7C8F05,SHA256=EB3433D404C18D5A61E03A7376F067D8DA84E7E8A877E0845005F570E6F87103,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:17.411{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61761-false10.0.1.12-8000- 354300x80000000000000001293177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:17.025{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-42917-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:15.938{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-38495-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001386125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:21.896{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E698D2DBFEFB58A28BEB23DCAAF7C9C7,SHA256=2F9992D6FAE785CA1F965B0DB712C6CE5435C90B1892589E235B1D7E50F62EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:21.981{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=527E87BAC0227A775512F798261930C8,SHA256=60640E8509F2B62740FBEF129ED932A3F31D87F76737F6FCC8E5FF423640E4F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:18.119{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-47064-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001386127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:22.914{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFE5C6632205572687CB938C33D6CB4,SHA256=492E469208F32EAA46D0AF27794B709142DE4EC6B6986F30BF6F5F99F3D8202C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:22.497{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF46-6152-9BA1-00000000FD01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:22.497{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:22.497{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:22.497{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:22.497{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:22.497{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:22.497{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:22.497{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:22.497{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:22.497{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:22.497{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DF46-6152-9BA1-00000000FD01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:22.497{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF46-6152-9BA1-00000000FD01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:22.482{69CF5F33-DF46-6152-9BA1-00000000FD01}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001293183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:22.200{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A448E007EF7DBCD6234183832B93B34,SHA256=964A01981E7A18CA15A9BFED651828CF671192623039D4C2CDEF5E3420411B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:22.680{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C077B6C42DBB142C42FE9DB51DAD5520,SHA256=731947839B3E970985B71274B32D94875A07A58CDD5BA637818DA0CE15DE55E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:23.949{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851137F2F3E56FD594D12520F8589271,SHA256=E79EA450A6B6265B516385C99FB0FC7BBF1B90579DA8DA4F912E42E8006C6FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:23.419{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D858DC994D003B2E3FB758D9F7E72B1F,SHA256=FD1077307584252FD27FB4009882A1FB04B39F1234FE0FCDE0C3549F87F70041,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:22.192{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com53170-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001293197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:23.044{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63707C3DE834E8540DEEF49A47C6D5DC,SHA256=5ED37EA5224A0E706BBDF5551A1AA453DA7F97D58EA4D2EE9E9B6B61A0CEBE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:24.963{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A7B0F12720B30324BA71AF0B6ED238,SHA256=14AAE38BB2B03C9430E2DA174FC4761C0E0CAFE1B324FEA116203E46B83860AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:24.434{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063AA5726B78594D08ED13822C111D29,SHA256=C35618FB8EB80CBE18C9BF15BE36B71E6B1F5046837D3257E20B05FC1A3C19FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:24.132{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59059-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001293201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:20.353{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-55822-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:19.243{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-51341-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:24.138{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B65120EFA33F7DDA7C4C29386B2EC52,SHA256=61116C8023F2F661255112F15DFD6B39D97548CB86E016582CDF5CD789653746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:25.979{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB13DCFB746B18008A1DAD6E045BB103,SHA256=4C812350D18AB1AC66F80F572F266D6D52747ED84DE9805D877F61D049FCBEDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:25.435{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0C7B89FB621F45346D78CBCD32DD4F,SHA256=30039F77F422F44BF78214A652EBD8858E6F917A8230F0136EF15DE053549F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:25.216{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27C1928CB89C20A90C1BD67CEA82C2F2,SHA256=6C45E977AF7113C17C0A1B2B4C1C2A1CDAEDDBD695ADB6705B1D729802A4BC6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:21.431{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-59930-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001386133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:26.993{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DAF0DDCA3BB1972C3B731A2D7E746A8,SHA256=A80A8ABBF46D4A22DCDC2E894FFF97984007622D234AD69EFC709EFB4F73ED0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:26.450{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1134FB43265433E84ACDB242D23ACA4A,SHA256=5C67EF8CB7B1333DFD01E69535B9D03D98D945E9085B60F88E5665FE14F98CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:26.341{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6255BD14676F008780E7DC45BD058FD,SHA256=EAD83939888498C548052D30BD10764568C95E7EF139A33E2B5C19C21BEA79B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:22.521{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61762-false10.0.1.12-8000- 354300x80000000000000001293206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:22.509{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-5246-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:27.466{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1D671FF8F40082D7D31F2A9D874195F,SHA256=91E692A1D7A3766D96C39472C2828CC0DBC414B19874BAB6C7EFDE62CBD3F187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:27.466{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC67F3A446F8D88E27B682950CD86145,SHA256=3CA1C1A79DCD56AA1567A38272E6C6F6A6942CDE571F324D6D5108057CAD2E3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:23.600{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-9430-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:28.544{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18FC085593945796D90854FBE1745441,SHA256=334183078267912BC69D0E3EBF6827C0FE6D3BA121C70EC53394D2006B006B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:28.481{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA2F020FC4DEE7DB596FD6CF4FD8CC5,SHA256=CCD9899AAD899D514F1DADB46209AD85AD6C8A902DE92FD481CFE45DEA5AFFF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:28.512{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-56674-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:28.488{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-56505-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:28.576{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C970E44F9F1773B3ABAA00D30713711,SHA256=7F5FF9D01B5E636AA1B6BFA0E89A4E0531E502808A61BE66AF6C70E903A98D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:28.576{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF8ADD9E4F65EF1C7C9986965B508C87,SHA256=08273F94B54EEB151135AD54597F424B5A37BC314B4EB715A1BD909BF6B4E2EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:28.011{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6782A34C2F8C30F6AB9BA57F54B88B8D,SHA256=BD1CA642ACE94B1ECB2D034BA5B34509241A73547D975875D8F08E76636614A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:24.749{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-13933-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:29.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6849883779EAEF3E6921C50BB5B8696A,SHA256=06B477DF2900B748C70F5C7D32AA5CD0CB7B7208FC28657FD9343DB0E4033D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:29.497{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38C48AA067FB847ED30C34D2FDA10EC1,SHA256=DFE89F8E4E38B7F659265E3506E6E21C2F05405433CB0804FE9EBDB68AA04D65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:29.790{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C970E44F9F1773B3ABAA00D30713711,SHA256=7F5FF9D01B5E636AA1B6BFA0E89A4E0531E502808A61BE66AF6C70E903A98D63,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001386141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:29.475{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txt2021-09-27 08:10:19.295 23542300x80000000000000001386140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:29.475{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txtMD5=9F92AF7BDF4738EA3775A7102708EDF3,SHA256=BECB72BA810763A60CCE7CB12C1EE941C649BC4559DA0F3AEC0CE6B11A1BE522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:29.075{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F80CF361315A4CAC30E9CC26972BC7,SHA256=5C997A3668CCB739B42360F7CA730EDE3D398818FF8B4C50431601073C9ECAFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:25.838{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-18095-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:30.935{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C70B2F05D4C50CF7D07ED0B500C4AB6,SHA256=3423CF708170D25F207871D3A675EC62E78BA0DC27FA009513889ADB23FDA690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:30.513{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5452284FDD3891CC0386AA45C38255F,SHA256=C5DE6071BF8556150E3ED66E2E76729CC639722B147F33D6533427AE874D544F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:30.909{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=158FC519DB8512D764B2DD644AE65D0C,SHA256=E638527498F4D097D87146F664EF72ACC60A3403468F955EDC4D9DE952F8461B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:30.109{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A7C9402C86E161DC37949080221F27,SHA256=D7049990B49A4FBDDC49EBB16BE6AC9873F1317601D57642D69C84DECE3F5BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:31.513{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A0582C652D6F74BFEF8572AF2CFCD1,SHA256=1BE92BC14DF0CF532C516BFA4C63A227CF0BE85916924EE792CE6EC3703A502B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:30.820{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-9575-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:30.157{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59060-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001386146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:29.593{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-3501-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:31.111{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27869ABC3C6FD2AD4DF931D5257DD53A,SHA256=AF7E9120589E3CE447A68190C79BE6B7360BA8DF4EC859B56506E50EC5E91E97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:26.915{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-22324-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:32.528{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6271EE7C442DCE9CF323B068E5D8D9,SHA256=A77C65DE00C7632B2348FE3696D7B925C22816497772F74C75DEA84D3F010B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:32.173{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C0EC1BB86BDAD93C93743B1CDA3495,SHA256=8FFC96AE024EFA63281491F2F6A8B2007752A82AAD59451411E479BB5B6970C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:28.489{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61763-false10.0.1.12-8000- 354300x80000000000000001293224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:28.008{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-26499-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:32.075{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF349CD57E149141E7585247C58DDD0F,SHA256=A63FAA14D7DEB50BC9E7E825CC3F1554EFF6407B1A009BC929FA7D6F9D623C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:32.026{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A91559EB5388F264B18B2AC8CCF3107,SHA256=F7416E57E13D224AA02AC64FCF51135E2F1ACBA70DEE0CDBEF6EC1A4E7BA7B49,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:30.460{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-36236-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:29.306{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-31632-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:33.528{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62FA48D7E0CBB2E7F2DE3A7BD095B2D6,SHA256=B90630A32A3A04DE1E6F17EE675978EC3CB544C95C4AAFD8D980E5DD594A4AC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:33.063{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-20935-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:31.935{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-15434-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:31.661{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54863- 354300x80000000000000001386155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:31.660{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local61768- 354300x80000000000000001386154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:31.660{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65198- 354300x80000000000000001386153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:31.659{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50119- 23542300x80000000000000001386152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:33.225{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1C48B6C37275C8D7294CC8B335DA3BA,SHA256=C164FA9DBC6BEFBB26C8495DA7141679B48847C0B702FF4C562DDE84AEB03C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:33.188{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F65A3A8D06907A4A0420E0E10E2DE05,SHA256=D6ADD43654178CD9F7F0769A3DCD15B9686341983EB93BC91A3239179D1DCBF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:33.200{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDFAA4D057D03BE405CA52CBDF04B837,SHA256=44B07120BF4D27588C74EEF89DCA8B38BED59E24CE0733105AAA774A9E607C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:34.528{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=677D4FDC424750A4ADF815C3BBD79F08,SHA256=B7E5E12DBFF0F3EA8002272F9B214067C733954A6D083FE05CF8917A9DCF1104,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:34.243{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27164-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:34.424{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9E42F879E58F0EC68A78B8177F61A65,SHA256=E106AEFA9E8D00DFD1908722FF89732E87117E641FE37F8A0CBE7A83B1A7CF06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:34.207{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A477D4A662C7C822B5CD738A10D938,SHA256=83D02A6FCD6FEA8637872E441724C350DC8A296EFAE4B4C1BF69DBF15146BE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:34.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4E8ACD405666972A59424E855E2F4C5,SHA256=F0EB3A183053A3152D2D0AF13B60B17139775F98CD67E7BD2630E4122636CE94,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:32.711{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-45124-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:31.586{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-40724-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:35.544{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D27D584DEF1087CDB976F2E82B1B6C0,SHA256=2ED512D87088F0ED7F77A17AACB3E11D71B9CF19F126BCABB0EC66E99E27AD9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:35.653{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0E3E806000CB320CCB930DFA610567C,SHA256=F6B71AC5E4CEABAA72A85F6108E188870D0D98DD175516A3D5DF0E103B482D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:35.238{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A51A9E4E32E2A454109F4695D0A349D,SHA256=B0A748FE106FCD471C06534472C49C2ABEE6736A1497E54B5915163A9F9EFFFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:35.450{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0799BB4F7CA66C4C165C831C647139A,SHA256=FB9A6D53BB1E838C62F9C6D4FBCBA619AA874D4C40F5D0091EC9E32E9032587C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:36.559{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B04843782C94BB4CE61635B93DCC588,SHA256=55AE87B91CC5F7A6BB2E0E0196B61DCC701DCD9E21FB5635F2D88496E9E9FE23,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:36.198{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59061-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001386166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:35.573{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-33665-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:36.737{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFDD3875E1B8C69FD00DBF716110F76D,SHA256=EE949BDDA74CA4062EEEEB3EF2888232A7AE0C066465AE7B2D68F68D524AAB13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:36.253{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=447063E599D48A519160E6F4C27C18F0,SHA256=CCCE9FBA33762DA4F65CE18FD4E48266D9FCBC36A2D087F4AA0F5F0DD038E1FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:36.528{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0864725B74A18860E2C97FF0EA6D2817,SHA256=8750A14D4E225DA1356BEE46CC943D179D92DF55B65F5635F5F7800546506805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:37.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84DF0A1618B30EE26F445B80AD2266CB,SHA256=FDC725BAC4D32D3301D9F10B5760F9122817E738462A3869BF464FE7831BA40E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:37.559{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9FE54E38485C70CE72F94D856A3194,SHA256=32B3ACBBED751E94EA97A3F725161CE45D0C6646D241298BDFDE9B06A08A822B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:36.670{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39464-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:37.867{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6472D3D901CCFA3C609CE9F85BDB838E,SHA256=2DC2C945AE0EB78A21D9CC17B55B5BBD831A02F56320FD4B1A5E34322F188849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:37.268{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4D2EE456072B1E54219240BC3683F8,SHA256=EF49D34845F5F1E361E74EEB319D175AC536432FA1756D45799A936ADA46AD26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:38.781{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FACB0FD8801F8317B31393DD5C27DA97,SHA256=1EBBAAEF882DBBD65A45140FCF84E333C6845B156170659D7A6EEA45F4ABA8F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:38.562{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B2D0D1F556C99FC5195E62DB712169,SHA256=2A07C2857D04647F3B8D3A491B2CFF52DF85F348DBDE250C3DFB7D7DB89B104F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.701{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.700{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.700{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.700{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.700{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.700{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.700{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.700{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.700{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.699{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.699{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.699{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.699{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001386171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.283{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66809645BEC795E669F4A6D21A96EE1E,SHA256=BFD0A24F67BD194408D4C187B3AFE0757F9C831002D573C758AC150BAF5B0675,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:34.914{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-53553-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:34.411{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61764-false10.0.1.12-8000- 354300x80000000000000001293241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:33.822{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-49578-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:39.906{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6A9B3050AEBA4A42606F5E119D947D1,SHA256=380638CB5FAF480158E96181BD42F1489942C648B7D60295150F59ECB947285D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:39.578{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0871F62DC6657B5EE61755D5A72E358,SHA256=FA8EC6623F838727AF52AF50929B1CAA961D5BAC2881A7A2C4E7F11D7C0F7EFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:38.899{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-51015-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:37.770{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45072-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:39.451{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4A8437F192F554649371766D2438A0,SHA256=9813F493D94181260ADEF46F1259D4E1F725047884AF2634323AA84DCE1CE857,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:36.040{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-58054-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001386203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:39.000{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53842794B3CABF8546A75380536AFD6E,SHA256=DA84ED261A425A3137CCE8BAC5D2607F49D2E7DF747E57D14CC384E6B9D82278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:40.984{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D9463FAC6E95E3A43EFE12766D967A8,SHA256=7351D4AE86F345487EFDF8A23137ED9FE93C5606BA06D519F3213CFC98DD7BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:40.594{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833A54F4B6EE9C8BCC6FA75E33A099C9,SHA256=62B3260A0708439905B2D4A3E596A514D3527FA508DB037808BB9C43FBB791FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:40.061{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-57060-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:40.481{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B6F549C02741D6AA4945BCCD915D47,SHA256=261876E797319792B78907C9AF2768AE36243F9A0FEF1F6DB00E974D52DB9E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:40.150{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCC0141D5A4D41861100C02329DCDCC3,SHA256=D41BDB2AE42D0C2EC9FFFFF6AC25D32E631F444A997EF7D6AD6F7CA69E9529DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:41.699{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:41.697{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=54DC452CF648BF9302B01A21217211C3,SHA256=F507DFE0E291ADA065EC074069C3798A299864A1D0FAA1E540899228A4AFCD49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:41.499{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8365D02B93B05DD4F036D32102DDE6D2,SHA256=9DE2EE0A5E98A806B46E310D139FAFB36DABF9F734305464D32587B8353BA721,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:38.278{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-8275-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:37.170{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-3738-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:41.594{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735AA9627A5632B7838F25CEC55EFE5D,SHA256=3C850AF142E09FB07C072A0C6569D72BDA66E358E5DD234CC7A4E6C12D20232B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:41.464{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E53B1CE7B8183CE43754DBBC60AD9BEE,SHA256=B5C2C35AA1E9FC2075A213A7BA2C0261F68A5435CB4412C7082B51929FE3D3D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:42.575{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-9848-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:42.230{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59062-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001386216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:41.345{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-3592-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:42.700{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E566358E8446099B35CA2EFB89AB59C0,SHA256=27C62FCA8856C9001C48744A94BF9DF9987D69F613495553BA1CDFF00DD9FB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:42.517{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF667527024673A92E9FDCA21B86FFE1,SHA256=63E36AFBC7A2F6BA0D46B8399241DA64BBDA28635318742408E75F822827F3B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:39.370{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-12551-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:42.609{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C2BEAF110C7590D41DE5C665F5A80D,SHA256=9C0639D5DDB8535665D608CDA1D5F215CE354E62675230305F8F68675EAE566E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:42.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A06DED483141DA3BCC1DBFC5C9512311,SHA256=FD4580E077A96B50B96BA0EF9021A27BD9DA177407C5DB5610F51E225E706662,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:43.737{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-15816-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:43.115{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59063-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001386221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:43.115{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59063-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001386220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:43.863{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B612E17D1DC96784A99A0E3FDBD29FCE,SHA256=825F08E0408E1F70D79884DE10B3C9DA62035FFC5F4E655C1ED4AB1ACBC77070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:43.532{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CF82A25384869ECAB59522D70C4502,SHA256=7B34C19B3E34FCDCACBC42E2688BC5C8C0291CB7805DA79D3E4163A531DBF305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:43.625{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=102F0F9F604C157A35E47B5F3A7E80F6,SHA256=2C4C5C4CF0651A3191D5EEA4F629A4D97CD00E21D8717EC0ED109957A5F02B72,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:40.496{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-17141-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:39.602{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61765-false10.0.1.12-8000- 23542300x80000000000000001293257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:43.234{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76DB86C5AFC5934E8F554965B4DCCDE7,SHA256=169183DE359F9F1B5E84A0E5FFE54FCA2D1000D45199A26D898F24A4A2948E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:44.625{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C22801FF8505337B74E71EAE63E86AB,SHA256=2674A8B75522482C1EE754DBD41F872C8D6B16D500D7E67EB5EBB0605B0585A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:44.579{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C096C04CE9CE33C445634CF366C47F9,SHA256=7AB143CF18DD25B44F6EF97865E007E69C5545EBAAA1445266C43BFD7E38BD40,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:41.621{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-21596-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:44.375{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=39D6B773DCF266B99BDED19057F80E61,SHA256=5F1F675F0D71D7009CE5607ED918F485A3C6B7074EE1BB573BE0DAFD3705D756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:44.359{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEFFB1484EB9E7E522BE57C6A1CB8EBB,SHA256=DB6C9371F91324AF4450ABE8FC4F6777DAF618D7CA23FCF452F0D0FF6EAB0C2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:44.977{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21848-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:45.597{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C12AAC93B5A2732E29ED37E59F2390,SHA256=AB59597CC653C3593163802019AE686B912DC50430A733F6CC806E6A41D296C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:45.640{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE710A00864DF57E09345DE3F552B961,SHA256=DD2CB1B064AE1B3CEF347ECE7A68FCA6E9A31024ECCF58818348FC1017FFC2FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:45.422{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EC01119BE4EC177C0FA6D60B8CD8FE5,SHA256=CB4E9C91C0170596C5D267EB6FF2B96502F5DE4201BFA11694466C2730369CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:45.047{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6668E6760758D64358BBB2FC1B96B1C,SHA256=0B554E106F36EB7E1C478449ECAA270E65F8934982050B346DFED86C982FD3B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:42.731{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-26209-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:46.656{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9854BDA177FD65604A1DE815EA912042,SHA256=4048D7ABDBF2EEC1A77559F51950BD3813617501BA60C2BCB621AA1F13A97586,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:46.077{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27293-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:46.645{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B368F05B2AC18653DD8C7C4B1325EAA9,SHA256=7747B2003397F10F08FC25A3D14CF4D58DAD84921E2AC749EEAF5F00853C8805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:46.162{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B40DDCEB33BD0968DB6D93E5879F1E33,SHA256=D80AFD7775BEF3BDEF18C33418467E9365BBA69592D9C6E4A8B1669A0FC69346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:46.625{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1648100F2ADC81D05A7297EA69F7591B,SHA256=38B9AD24B17534DD1E135C33F1D2D3D26A98ECF047D0E8B420C50A8A40992306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:47.750{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22A402F6CC95ADC8EED964BF82A2E79C,SHA256=477AA798EDC1FBCC431AE28C7B5C6A12E85F5B860B95D20DF0B8BC5E7393C1FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:43.825{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-30661-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:47.672{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C55BBDC83A1306BAE07161ACB25156,SHA256=E100DAC31D8EFB0B3207DA384784E8A1C4317ACD24A72A4383CD09EBC330B95B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:47.844{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:47.676{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C336144DD816E72FFBBDD5EB9898FCAA,SHA256=CF3DED77BA5E846591E3A0D3EC1C81D1FDD1ECF9293A75DB47DC98C3FC4165BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:47.312{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:47.429{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DF807FB4B2999EC745DC98DC0D22D9A,SHA256=685C414B977213778521EACC144DAAABA27FB1F8035C10415CD7C755CCA404A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:48.693{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBE09921BBD672260E0DF1EDD3C9752,SHA256=E3EFBA8769195036E19D467F9B7E61DAB0DD3C9C6E29D11D3DA8FD2C20BB0446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:48.890{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C152D2985B818111557F96751CDD6759,SHA256=5A9EAA274CC4D962B214EBDC95877B62F9F27302FC27D05028C4FAB62C4C195D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:45.649{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61767-false10.0.1.12-8089- 354300x80000000000000001293276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:45.367{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61766-false10.0.1.12-8000- 354300x80000000000000001293275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:45.011{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-35246-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:48.672{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3C6B1FD0D834309720577467CC53E9,SHA256=48731D0C30506910E6CF04CF9B665D131A8D17152AC98D81BFA11925985DCB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:48.512{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EEFBDF918323A34918B8E9EBDF84F7E,SHA256=223D478024E961DCC846C4FFF6D5C716C545BCAEE6EDA6A135B8F79FD040F1C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:46.153{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-39697-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:49.687{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=626B7ADE4CE9138AD883A6F003437ED5,SHA256=E913FB039DC851059D319B40D18021AA76D92A669005AE844F4E60549DBA0152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:49.728{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B2F0FB45233FA2D7E28EEC6D114161,SHA256=6CCF5DEAD2EF0451AE7460798F8174A7B8B924D785A60BDF5E1B288898529E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:49.643{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=235DD94F8B5F774FB9C47A20DAFD88DA,SHA256=85BF2F342D9031B8BBC37B43B8808C75AF58CF5103F61C4EFF65893CA2181F3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:47.339{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-34018-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:47.259{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59064-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001293283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:50.906{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED391725F7AED9BBB25600D295B7AB5B,SHA256=255EC9B535298F686958E87013DC26BD06503559B62035C51CE7A1BB92B0E8FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:50.743{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B4B0BF1E63ED12C250E8ABE87A8D264,SHA256=E2E27A50B3019B5C4FF19C0642B5AC4B8669DC8A04809C8C742032BD623C6526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:50.743{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB0D4C3C19BC2F4E68D61BE9B6F2C78,SHA256=3FD066D9822B7F49973BFDA2D5AFBD668EE64F4D6B36010B48AA6A826EA5B5E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:47.274{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-44164-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:50.031{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE9375E4ED40CA94B069606643EB463C,SHA256=8AB3B66A1CF9722DE28A5F0786E0B588BA07A4A6FFFBB5836A560EFE7CDB6A47,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:49.537{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45291-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:48.826{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59065-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001386240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:48.447{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39555-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:51.873{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=198E7A764F4FE43917930761FECD7846,SHA256=2F8747FA6B5AD1B923772D3B289D2BA5543DF94A5F881050D91C54E92BBBF08E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:51.773{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884C09C68C52178625C73F6F76FF2A0C,SHA256=853F248EC3FD72A023503AB61A5CD92CD0B46E0318D3EB5D24849845B5439601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:51.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3FF981B1D4D65C9EB0FDC6B7F3AA473,SHA256=1943E689187071EEE33BB15A7FF2E36C3D11EEABF678EF082F9DC2BDE1DA768C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:52.956{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08761B1EAF9A5EED16E3754869C7F1BD,SHA256=85C6720A8D19DA95ADE073E953F713934FD621E14AE855005F6549BE2C92E1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:52.791{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44BF468984F2737C4A3ABBA534493FD,SHA256=3C488457234FA36304CCD49EDC1EB396CB0743514E1692190E2CA855B2957396,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:49.481{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-53007-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:52.187{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44337BC51C0088DF5E4E42CFA498F81B,SHA256=F0D464D0958C17E35BB4E9488D1F4B3163699C3C428EC15598CF6EDD3DB69202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:52.140{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A62788085A1F808DF2D7891BE83924,SHA256=805482852D2925CA26BC3302FECFF0F3180FF602B79A56156145BF7965C02CE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:48.403{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-48669-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001386249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:51.855{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse2.57.122.204-9843-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:51.777{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-56644-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:50.677{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-51101-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:53.824{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F6D7C7BC7B2392555ACD4A04E9E3F5,SHA256=FE527DEC27C026434B244C098F7F0B685027DAB12659BCFBB84E10F9BF468AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:53.375{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94F58AE06838BE32064FE9FC3DDBAA37,SHA256=82DAAE07FF97F327FF346F5390BC98F56CAC625807D63CBCE96C1BBB5507FB11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:53.250{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C1F062089ABC2964AB40498C68DDA6,SHA256=64A821912FEBABFE8855A7EC5B101B190EC05A3384560EE13A33E1BE14EE1867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:54.840{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD671C1ABE30D6C61C0C411EAA7D979,SHA256=5EAA522B1B3B2AC0BC8F8674847782A498C6072FFC8B77BE0625369158BF01A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:54.500{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4177E6F49AB84E69DAB680882226EAB9,SHA256=39EED83E018E8A9DD529A562D149C15C0D79EFF0C60C763F3C3AFBABD72008EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:54.469{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD3A4CAD6F0EE85510375FAD873F1E3,SHA256=C33ADBF353C82C5ED2A340FC27C45C71456439BE502943FE15053EF8662C113F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:53.185{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59066-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001386254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:52.891{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-3268msft-gcfalse10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:54.072{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=891ED894D3EFDF1CC17449EB4107C84F,SHA256=B38D7184A35186CFFF0AEBB2C0BF0C38E64CE9BD2A62D98F9922254D7835F65E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:50.602{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61768-false10.0.1.12-8000- 354300x80000000000000001293291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:50.558{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-57255-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001386259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:55.855{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A00DC1392CD8054405AB1C30B511D5,SHA256=A2015BA157F7AAB75A99083960F03077EF82F74C438F300BC7A755412AF57569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:55.703{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC68F8782685BCB6A650BFB0A13C633B,SHA256=3D935C5586590EAC14317B2BEB89437933BDD4BE50BBE23AAB9CAE6A558EDCAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:55.289{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44BC6341F69A76417041BA866C523AF7,SHA256=F936D3A18332F59853D16680E6CFBC5ACE11CDF865325867956648509BB41711,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:53.986{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-8991-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001293296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:55.625{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C57FD2F5EFAB315758463B00CDCF1FCE,SHA256=07BEC9367C642ECA708158E11BF27BC5E35D3703D87245FCDED376C60CE4FCA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:51.762{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-2941-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:56.781{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368AA3CC46823AE5EDAF4D0BE3F62C5F,SHA256=AC2CB1EC8654014E8F2CCEDC6B48174C8B52048B55204A943372D95189596885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:56.870{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C3AC03CD5F26822FD049F0367E6DA6,SHA256=0EAB725C692694307F3240B4D7869C8B75DD15807AE40DD00F24228C9F09E816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:56.408{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D55ABAB19E088CFAFF9C5563BFC781C,SHA256=5CCA678AEF1095A95CF2267F65B5E7D4458241106DBB93C74591B090150EA2DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:55.130{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-15104-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001293298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:56.750{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C622B9497D3B086A7AE2848B788581CB,SHA256=37509F6910CFAB236DBEB168F0339B809EC3E39FBD9978D1F65E4BCAEB228978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:57.828{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8013F92BD7EA27F40AEE632CFE351843,SHA256=F5D20F79A2CC1539445724A2AE67F86251D952FBC80C0FD127361DC7D0F41EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:57.781{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BDE4F679598CAB84C7617C7D42F557,SHA256=294005A4259999991008169F6D6202EF503630388FE944160437BC0C975AE160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:57.891{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6292DCF4A1DFC48B6A9190C30D3F4F,SHA256=BB9589A7C1F0C90EF99083EBF20133697F4D90A9C6825B5F68A4F25662D106B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:54.012{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-12079-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:52.886{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-7549-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001386264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:57.508{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB4908D822AF47A7B7C8C072C7445171,SHA256=882B649B04E905CDE8BFD393D00C354792DB646B7B96A0DED063DBA95E28A495,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:56.319{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-21103-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:58.907{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEA46385FA9AFF1348A489AB81F12FB,SHA256=9CDF5ECF21328D467FD072120D76FF389D0B73EF61AA45E571C8B9E8FC53F643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:58.901{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=261475CB9BB7ACD41C2BF330DB9D2F9D,SHA256=75599F8827AE6D9098FF245F8000E98C0636D94DB655CA361BC6920417A4FCAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:58.792{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8357961E6C4726EF1CBD14F5370765CF,SHA256=304B1282927159F33FE73530F2BDB34EF2FC29703A1C14E5A98D679AA13125F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:58.722{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB087344B9D19E2CBF71CC9F90C63282,SHA256=D822B9748DB3A22C3F7BF0F3B289968BFBA72666A2B148554048193210AFF7BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:57.439{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-27256-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:59.921{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB494B74F1FC612F7692763EA68D2D7,SHA256=DBAC1C68183D39726D3F785B4DDCB175D476597497BA296383E6A785771C25C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:59.979{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=699A3713D0E53669B48D2C36A14D5C1F,SHA256=5B272439A629C0C1124B4F1188534544FE03658E2EC1E6FEEBCCECF4EF6CB7D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:59.792{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75FBC2C89CA0D280EA237A258671ADA2,SHA256=633F6E7DC4CF3B8C65A37BD98AD296B8296BC83F67F28D00B37E2484CDD2CE23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:59.806{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C79C394100E5506F6080A604E7AA9DD,SHA256=21172E46275068E8D2C5166AC4B53FBBA30201A1F08E0630D25B612F04A15219,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:58.555{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-33269-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001293307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:56.200{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-20678-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:55.122{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-16383-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001386275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:00.939{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB8B361705E5CE9A8CA7DC4E1526CB3,SHA256=55C1E60D07EE3DDB976E7D590195BB790BB88C60727EFAD39FFC47FE833017B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:00.807{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDED14C6444C4D16B11803AB94231D9,SHA256=978301E189B43EB68976ABEE08491BF1652CA0416FD3D7A44E487092361D3681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:00.870{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32F1FD42F78A401AB72F4464B223177C,SHA256=913788CF2B2F316245E81B263192D242291C0FC1EA46787C1D3C323E56B7AD1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:59.740{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-39490-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:24:59.186{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59067-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001293311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:57.272{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-25180-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:56.424{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61769-false10.0.1.12-8000- 23542300x80000000000000001293314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:01.823{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB9EE4FD57CCC7986E570FD93B57471,SHA256=BE9A8EFFEE21DC811E3C78F94F5E0B1F1E9313E23061725D52AEF7FD8538969C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:01.969{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8044FBD257C1C5CCDCAEF6A4164A8459,SHA256=C622144F507B59F612EB2514E5ABCCA3C7B5BB73090FEA0828445603CF349D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:01.954{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD84776AF5E9D4A6F48201B36376D007,SHA256=8ED6AF084AF4737C4A72D5229DDDA97E7F60254251B85420434FE0F4E1E5A10F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:01.276{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03881C1C4FD5CEA36B9B8AB6530EEABC,SHA256=F9270C23C8EAFFD98F84C63E45FCD75270659D9439886584E5E2C8007A00A17A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:02.839{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D949A129C79B79A017C58BA8F5A7B4E,SHA256=BBD75666D653711BD4E6F6167BF75B9348B793172DD7A265F2AD83B0D60F3858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:02.969{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C90E6FDF9C223AFBF399895EC46EBB,SHA256=65C3396747B04B03AE3320E31677D17EA3C45EC88C679E8FC20A9B427E62C8B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:24:58.503{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-29749-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001386278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:00.824{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-45289-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001293317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:03.854{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B48578CD8AD5DDFA307D2AA88FB671,SHA256=FAEFAB4DDD8981D14E5149DA6D460F3823917DC8256B4E26BCE0117263A8F7BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:03.990{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3EA6F8019A6CB75C0374F8FC4ECBE17,SHA256=744ED5FE7AC1E1981D4E15F261F6D6AB98C0A3B4F97EB2A181E8204C22BF6CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:03.990{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FAC733D715433A7179EDEF9A0D6F71,SHA256=75B989BB63D0F233BB7BE5690AB43D84E5B45843CA90C11BA82990BD385EAE08,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001386291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:25:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001386290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:25:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x052b8d68) 13241300x80000000000000001386289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:25:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b442-0x55b0e7d0) 13241300x80000000000000001386288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:25:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b44a-0xb7754fd0) 13241300x80000000000000001386287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:25:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b453-0x1939b7d0) 13241300x80000000000000001386286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:25:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001386285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:25:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x052b8d68) 13241300x80000000000000001386284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:25:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b442-0x55b0e7d0) 13241300x80000000000000001386283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:25:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b44a-0xb7754fd0) 13241300x80000000000000001386282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:25:03.605{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b453-0x1939b7d0) 354300x80000000000000001386281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:01.904{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-51139-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:03.053{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F15A18C6F753ACDF2E4AC0B016AC29B,SHA256=8F4E0B9873A5DFDEEDDFF812EF199A2FE73E9F3D84B35505D678882D5C79C70C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:04.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76FCEEA57A056C55B9FD0AC10927646F,SHA256=F2EE3635E7E7A625864031381F01FCAE3C8EF94CB1200F6A22DB423D4BE99903,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:01.425{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61770-false10.0.1.12-8000- 354300x80000000000000001386296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:04.086{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-3174-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:02.987{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-56754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:04.187{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=264ADB5151DC650BFDC1665CF17656E7,SHA256=0E50A2C2F0CAF78824AAB14FDB3DABF3BE929A1F2BD64F93648251D97D4B3804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:05.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357E358607425676BFA2AE28E95F2513,SHA256=8B5CC8506BCCA30BC8F5D11AE143A393294D3B3193AC66B021B20DC1359F28A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:05.186{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59068-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001386298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:05.267{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6EC5D8F9BA550847BEF377A9408BDE8,SHA256=1D781EBA829CC32051ED4D07EDCF0C9AC4E479CFF2572B59394F2CB6507178A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:05.005{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6CFC60B36E400E44D88A4F48816E37,SHA256=9E8BEA5BED2B765EB96B2942CBE1FF08B00884ED1E73A8F8E698AAB20C5E2588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:06.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F64E9BA6E0FA641BE201D06BCD6BAC1,SHA256=123E3916D267D698C860208225624B527BC814C65427D5B67A02C3EA0F508EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:06.351{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=083F9FD419B90CCE5DAC344B1882CEBC,SHA256=5280D2E3E9C4602E29BF9FF5E0C91D2D9F4AF40884A5295E4ACAB1C5E12CBCE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:05.202{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-8895-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:06.035{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBBAB49DB05B8EB4F09456AC7F4DF15C,SHA256=6250CE1C75AF3635DD0EEE84229855FB51E05F1F01D9C8F86C6E9E316D404CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:07.901{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65768F886E9BC6B814BA552DF586E1DE,SHA256=F0EAEC2CFC674EAF6E117D1DAB43BC2D064F73C4DDF99BBF72FBE9A104434BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:07.702{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73E3A39D13A8994F07AC02872835BC3B,SHA256=08FD579A54C2E3BE21D0565B4A475D33D0FAB1300DC66350ACCC87114D0D9101,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:06.286{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-14440-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:07.050{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B82185C406A382341EB479E3E4B5B4F,SHA256=FA4D63582D1C4365F81011BF21A2A81C884E9F8787CA21409549900DEB9091CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:08.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299F6D9D433160AE2E8F10F94BC045CF,SHA256=497FCED37E2D4D87E31E94026FD5ABDD6195E2662FB6A76CC7D3A3E4A75C530E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:08.783{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98595FC570FEBC7B085868705A0A5D94,SHA256=A608240CA48C0778D0EA423A0016D1D8CAD46BC497F4F694351444A52164B27F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:07.463{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-20249-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:08.102{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26656C66340276F1F3F1DCCF16B532B9,SHA256=00C6AF3A8D3AEE983F43A566328B37E3E2073BC1CC46D729A1644A914B434A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:09.932{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A605089049830490F8FF6F628B6ED10A,SHA256=A154D817A47515FF9BAAF420CA4A2F1069C9B333FC13149295DE94FE7AD83439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:09.900{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F0BD0958525068B7A654C293DC0C6C6,SHA256=2FC370B195584B2CAD612E6ADE098393D56123102E016395CE6377E8A0696E12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:08.766{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-36554-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:08.720{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-25979-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:09.163{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC63D37FBDF180229A9476D34342FCC,SHA256=9296A6F7D301E57920242EE0B32620A0B1639606B6D1D2DD3C0D305913A5EC95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:10.932{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EC7326AC02E682D6C6F3DB10F1DE5B,SHA256=EF1AA348639E15B938AE2FF1D46AC65622E00AFCDB10E639DE81F96363569A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.901{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5CBCD50C688EDFEC65748E82250E16C0,SHA256=F2909338ADDB13F2CA1E85AA4CE297D1FFCC560ABA88110A56AC5A019195E0E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.862{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF76-6152-AA28-00000000FD01}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.862{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.862{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.862{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.862{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.862{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DF76-6152-AA28-00000000FD01}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.862{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF76-6152-AA28-00000000FD01}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.863{5EBD8912-DF76-6152-AA28-00000000FD01}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001386325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:09.948{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-43255-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:09.811{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-32050-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:08.793{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-36680-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001386322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.400{5EBD8912-DF76-6152-A928-00000000FD01}69645540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.184{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF76-6152-A928-00000000FD01}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.184{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.184{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.184{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.184{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.184{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DF76-6152-A928-00000000FD01}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.184{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF76-6152-A928-00000000FD01}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.179{5EBD8912-DF76-6152-A928-00000000FD01}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.182{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9EBFF384EF54CBDC3ABD6463DB36CD,SHA256=792B4676E7B02BDB4B45A57BC41E5CA7D2EAFC62F84ABD3D169E4F5B8846FDE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:07.456{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61771-false10.0.1.12-8000- 10341000x80000000000000001293327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:10.386{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:10.386{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:10.386{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001293344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:11.932{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD45780FE5E1C4DA7F7BECFEBB570143,SHA256=F2B4A1724AE9A0DCCF8222A2CD17CB7EDD3E1B7C82CCB64CD99340472D5C2512,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.918{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-37916-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:10.245{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59069-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001386336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:11.380{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E38B1F042393C4B8436F2786FBE7294,SHA256=F446652E8E1D3935D5D64BC7B4E9C9A870F94396D81B3696AFB80D38E9AD73C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:11.714{69CF5F33-DF77-6152-9CA1-00000000FD01}10123384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:11.448{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF77-6152-9CA1-00000000FD01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:11.448{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:11.448{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:11.448{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:11.448{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:11.448{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:11.448{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:11.448{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:11.448{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:11.448{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:11.448{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DF77-6152-9CA1-00000000FD01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:11.448{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF77-6152-9CA1-00000000FD01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:11.433{69CF5F33-DF77-6152-9CA1-00000000FD01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:11.032{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7552CC4B14A45E4B6F0AC31AE8F72BFE,SHA256=AE56851425B36A0408D89E04B2A38EF7C5423590099D87877E3EBF92BE309E89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:12.884{5EBD8912-DF78-6152-AB28-00000000FD01}40364964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:12.699{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF78-6152-AB28-00000000FD01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:12.699{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:12.699{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:12.699{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:12.699{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:12.699{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DF78-6152-AB28-00000000FD01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:12.699{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF78-6152-AB28-00000000FD01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:12.700{5EBD8912-DF78-6152-AB28-00000000FD01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001386341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:11.097{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-49974-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:12.431{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0FBECEF0D213B30705B2497EE6ECD8C,SHA256=C19768305BCF842DE3F200B240DAF61ED1443C7616199CF81D846B36E78507CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.682{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF78-6152-9EA1-00000000FD01}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.682{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.682{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DF78-6152-9EA1-00000000FD01}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.682{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF78-6152-9EA1-00000000FD01}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.668{69CF5F33-DF78-6152-9EA1-00000000FD01}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001293360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.526{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CF1F92B18331D48671E91E6E35101EC,SHA256=7D5B525801F169BC98B068ADFEA3F5DD2293FC57C95ADF91C2B180C31B4D9574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.526{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B4AF9B8D5D592C74CF3BF547E66DF08,SHA256=35351F8EA2C8ACAB0B0B35BF62F0ED10DCA873CEF0A2323627179CFADAA480F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.339{69CF5F33-DF78-6152-9DA1-00000000FD01}15722528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.136{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF78-6152-9DA1-00000000FD01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.136{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.136{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.136{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.136{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.136{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.136{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.136{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.136{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.136{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.136{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DF78-6152-9DA1-00000000FD01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.136{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF78-6152-9DA1-00000000FD01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.121{69CF5F33-DF78-6152-9DA1-00000000FD01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:12.116{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54A1C60ECE6E655BDF51BDDE1042A4A9,SHA256=C3DCB7549220AA05F398556E8579E0F5F674446C641B595B3E94CFE46EFF05CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:13.328{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-3866-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:13.134{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-49140-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:12.182{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-56297-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:12.051{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-43418-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:13.447{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A789AF2665B59A3FA12BDFF1C52CCF,SHA256=445117E96F0902AAC50E7356714BF68A69F0C44E52622A11DB116D82C686DAFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:13.667{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CF1F92B18331D48671E91E6E35101EC,SHA256=7D5B525801F169BC98B068ADFEA3F5DD2293FC57C95ADF91C2B180C31B4D9574,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:13.526{69CF5F33-DF79-6152-9FA1-00000000FD01}15921736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:13.370{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF79-6152-9FA1-00000000FD01}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:13.370{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:13.370{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:13.370{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:13.370{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:13.370{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:13.370{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:13.370{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:13.370{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:13.370{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:13.370{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DF79-6152-9FA1-00000000FD01}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:13.370{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF79-6152-9FA1-00000000FD01}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:13.355{69CF5F33-DF79-6152-9FA1-00000000FD01}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001293374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:13.026{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA15E107C1C974B6EE97753BB8D0CA81,SHA256=539A4BC68F9D8A16B3FB073AC3671DC6A1F79C8D152E9F80C93357256F7A2470,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:13.362{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF79-6152-AC28-00000000FD01}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:13.362{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:13.362{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:13.362{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:13.362{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:13.362{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DF79-6152-AC28-00000000FD01}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:13.362{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF79-6152-AC28-00000000FD01}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:13.363{5EBD8912-DF79-6152-AC28-00000000FD01}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:13.246{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41C259C84D8B62383D630D80DD43629D,SHA256=0780D7901896F85C4D4D1483D5F9D3BCDAF831B0145A0F8C4DFFBEFE0C5F55B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:14.430{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-10047-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:14.264{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-54609-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:14.462{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98DAEF7678FE1829F151778D6D7C3D6,SHA256=60E1AFCA3320AFA5300618DF9853EBAACA048A3DE9AAADE2CA4C64B2124C6752,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.968{69CF5F33-DF7A-6152-A1A1-00000000FD01}5202080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001293417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.907{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5725MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.763{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF7A-6152-A1A1-00000000FD01}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.763{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.763{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.763{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.763{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.763{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.763{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.763{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.763{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.763{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.763{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DF7A-6152-A1A1-00000000FD01}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.763{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF7A-6152-A1A1-00000000FD01}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.733{69CF5F33-DF7A-6152-A1A1-00000000FD01}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001293403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.167{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE61C843A4E0B9D428A9684FBAB9A945,SHA256=30F01890A1183523915345D93B04CEE2ACE2F9BE02883F916E93AB0404FB5FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:14.331{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=631923A4885C56DD7AAA5A210C58370C,SHA256=8327CA5667B9B8134D84A3951454746DB28A72BB5CE6637C047E4E4FC71A3F1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.057{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF7A-6152-A0A1-00000000FD01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.057{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.057{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DF7A-6152-A0A1-00000000FD01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.057{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF7A-6152-A0A1-00000000FD01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:14.043{69CF5F33-DF7A-6152-A0A1-00000000FD01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001293422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:12.565{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61772-false10.0.1.12-8000- 23542300x80000000000000001293421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:15.907{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5726MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:15.171{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B97865078DB5E4602D42CF3307ADF81,SHA256=8AFB1DF9F809DD03ABE257A61201E86F19EDA39D70BFF8C2969AD4A43FC83A67,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:15.365{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-1465-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:15.580{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16AC29715EE66A0877C3F86E21237C67,SHA256=AB93B59B1191FCA9831F013205443B9B4CB03BE3FE2605DDDBDB64058271B16F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:15.498{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A260FC100821B02918E088F3AC89C0A2,SHA256=9C713596D6CA53D4F3EB825A9CF56CF3CAC633B4E8699EA5BF85EEDBDBC40D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:15.046{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B2C55DF8AD85FB6DB6D62DEC88C67DE,SHA256=5B59334A40E980A7444AC567FA2A00EB7C418D31CE82429E225BCA8828731473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:16.423{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25273CD6E08FA85E2EFB14D5109B3082,SHA256=7C6FD45B8FD7C9987F0E2EBFC1DB45741151C5D290D8E53B821E7F29FE0D3B8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:16.729{5EBD8912-DF7C-6152-AD28-00000000FD01}43606588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001386382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:15.533{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-16248-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:16.661{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42676A504634CABD79461470B918CF06,SHA256=FD85E8F622AD54F1B2B5585B6E99B1057DE03B2A96E914C3327AC94E153E5464,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:16.545{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF7C-6152-AD28-00000000FD01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:16.545{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:16.545{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:16.545{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:16.545{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:16.545{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DF7C-6152-AD28-00000000FD01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:16.545{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF7C-6152-AD28-00000000FD01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:16.546{5EBD8912-DF7C-6152-AD28-00000000FD01}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:16.529{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116999D46B90ECDBF945AED23EF5F830,SHA256=838D71D559A49D0A0840D83ABA6E4279778AF461D2A5F16FC654B20A60968850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:17.641{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE319E992DA618B61242DC190F2BED3,SHA256=6D29C9EF303D9B91D7D1FBBDE32632751F84B5027B8E9E5ED2E5861BF370BA95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:17.745{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DF125B4C3E9CA9D4DDAD2C415B14A75,SHA256=5586F28FA167DCE1E335DC4BD9DEFB11E4AA567C414A646F23AC0DB4E7CA7122,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:16.594{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-7892-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:16.059{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59070-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001386393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:17.530{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0D715500CCDFA1C7B04FAE870C6976,SHA256=5928EFAAE7861870E6438152EC584FB59D51E66A493686F139283151E99D3060,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:17.380{5EBD8912-DF7D-6152-AE28-00000000FD01}5246172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:17.229{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF7D-6152-AE28-00000000FD01}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:17.229{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:17.229{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:17.229{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:17.229{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:17.229{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DF7D-6152-AE28-00000000FD01}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:17.229{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF7D-6152-AE28-00000000FD01}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:17.229{5EBD8912-DF7D-6152-AE28-00000000FD01}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001293425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:18.687{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF66C703779F7B980E14A476AB70A37A,SHA256=F95B21D715658FEC8211BEAD06EA5ED18494D7AA35D451ED50991F3F57DA70BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:18.828{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDA44D52229CFE01513E3AD7B625B2D6,SHA256=EF5D71DB4416506AEF517EF94F2B02476694736C33E38D47213E769732E295EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:17.701{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28587-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:17.678{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-13743-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:16.616{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-22576-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:18.597{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB8116C8488224D725E96E6B99C23BF,SHA256=CD6E10C833E8F2F879DA18409FB262E2E20F6216F1992C18C6BF4F4900DF910C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:18.046{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1408MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:19.922{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC973B577C64B87462A1F9110A696452,SHA256=CD8341BDDABC02AAC8A99325E250390CA5E00365A412A658F6D428FABCC90F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:19.958{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=612D05DB3378C8097E399335369A1CB2,SHA256=80076848238847C4D9D3DDC4D4E131DACD232CC406411573FC06362DF1046DD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:18.811{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-35284-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:18.764{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-19560-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:19.611{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F95528D44C663255DAE89F38070894E,SHA256=2F72B6AAB068DC1BB059C9092262E5409694433FA4C85C4AB085DCA464F90455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:19.060{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1409MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:20.995{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A76F5EDF2E363ED75A1E39606C37B2C,SHA256=A3394ECAFF030099A280DC932D8F052060F460D92CF36BA31AC8403A1D187CB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:19.860{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-24937-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:20.627{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC83BC4BE053B238F59BCF1E6A6CD529,SHA256=81A80811452FE563D4103E4DF3F9DC6064CECE6F60190959DE391338032A5C21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:20.011{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DF7F-6152-AF28-00000000FD01}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:19.995{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:19.995{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:19.995{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:19.995{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:19.995{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DF7F-6152-AF28-00000000FD01}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:19.995{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DF7F-6152-AF28-00000000FD01}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:19.996{5EBD8912-DF7F-6152-AF28-00000000FD01}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001386423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:21.071{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59071-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001386422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:21.029{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-48070-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:20.976{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-31072-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:19.931{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-41862-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:21.658{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6B172CCADC9E1D62E368F3290471CA,SHA256=AD04F19A919A1FF09F2F16B785AEC912E82A2299A356B2085059FB9B950D1205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:21.031{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF423D3801A506222B49AB91E793AD3C,SHA256=F053C212E1E328F99755FA3759E20FCD2A6E1E6639A1F1DF751A983FB0FF5509,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:22.225{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-54692-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:22.074{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-36707-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:22.678{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F2BEB65860BA2BF42B4819BB7C48D5,SHA256=E6FDAA259CB70BFBB9A1C340526A12E4845B1EF15833F9C9A9555ADD82E29FB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:22.500{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DF82-6152-A2A1-00000000FD01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:22.500{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:22.500{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DF82-6152-A2A1-00000000FD01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:22.500{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DF82-6152-A2A1-00000000FD01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:22.485{69CF5F33-DF82-6152-A2A1-00000000FD01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001293429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:18.524{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61773-false10.0.1.12-8000- 23542300x80000000000000001293428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:22.047{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E71DC2501656BDC366A69DBF5AF3D68,SHA256=21C1949006A52C010BE198A709A9B81A19C9BA4DCCD2F6263DFCD287C403496D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:22.158{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66BE706DE706198FF5C5A3CCE65FF55B,SHA256=D136D6490E5D7350299DE2F0C7CDC129492F8A5798957C2BC79867E4B8DBCDA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:23.342{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-1968-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:23.192{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-42621-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:23.696{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF571948522FCDC0970D78D02E3002A,SHA256=331E6EC5A6D4463B76275FB4260312AEB280CF686E8418D19A8BE1F771D6B191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:23.515{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE13D3DBC65FFF0B38F94131737092C7,SHA256=C0A608843B3FE1C4FB51D81184FD23A23B8D5AA135A0B092E00649190FDBF17A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:23.515{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8660BFB5048DF681EF1CDC9AABE581CB,SHA256=9AC782FE03CDF400309381613245649C6585E87C53D1D6BBF79752B16E98D5D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:23.062{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66237FCF88D08EB38CEFF399BFB420F,SHA256=E0F4903A86396D8B93F7D4394D31C3CA0D0D4B11AFA8190FEA2557A09F2217EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:23.259{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F07067F3F07B5F205CF371C28704B09A,SHA256=41138E499D5B3834F291EB9C656913561A866FC06755163867BB678D75F82F3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:24.528{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8756-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:24.277{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-48244-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:24.743{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD2BD80FCF853BEE6CB995766B38ACE,SHA256=D824BEAFEB156A27C66D0A685AD8BFF8BC270933928E08C5DDEDC34ED958C229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:24.078{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0EA9D47A0A2220F4A6FC442CD8FFD80,SHA256=64942F38249544AF173AC6EAD6AE6677742033EA4AE34547E7F80783B6B6C7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:24.343{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F55C8A081B4B668C0B7FA754837D26E,SHA256=943A1362843D89CA1816B480B5C446F02380EDDAA5F3095771345A091F39B6E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:25.648{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-15075-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:25.373{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-54002-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:25.758{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA72D4ABA6078D8B2A6D154E62D5D88,SHA256=27E3D9380DD62CFE497B5396FCEFFF9DF63BD72ABCAF29898A3F34C65F35DCB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:25.093{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC269E7B2ED1C6DF1131E58C5CFDA25,SHA256=0ED99933BB7D76681248E5612C4EAD6AB91B5A5D20E0F67CDA3FF8924E353C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:25.458{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26870D92DA6A90126983C6C188DCD90D,SHA256=0FD718EE6866D21EAB1EF6CEDDA367BE2CEDB6B9C87F78B8D3918D1889525FD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:26.476{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-59478-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:26.109{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59072-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001386441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:26.776{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2613851DDCEFDCC028C6A1637DB27343,SHA256=7B878C60DE0120AB63F84C1E22741BE0CF40A166D38EC30F1B336608F2803C66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:23.555{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61774-false10.0.1.12-8000- 23542300x80000000000000001293448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:26.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A8E8BB070F19C34D275F1B68F54463,SHA256=91688916DC9E289E2858CB937980EFB2522E07A2FCD196161347BF973329EE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:26.542{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B9D459229279EE2EC300FE17CFE9246,SHA256=969335003388DAE255A2309B27E9097143176E5415B5EF8B14272C869AC631F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:27.794{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D33EB7EF28BE15BBABE7B9BF265CCB,SHA256=1A60CE4E6F3D4EC795BA4001C55DDC51DE80C09F6FD26AE23235C0B21B4BBB12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:27.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D079FC690979EFD7891E89632B4486,SHA256=B6813336989B4D52C5ACCBBF0B5285B6A21C40CE169BF58C2D6196C6A84A5770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:27.675{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49A5952738AE659B892DF7EDED2E4739,SHA256=1B45FCF7BCBCB4FD78ECE23C3BF72DCD03FC5BF84646980BA97AB48A8AD428F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:28.824{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3EEB0327A49259320308DA8AF59A0D7,SHA256=FC8AE78753687B730EFF1A0C01489028D764CE499E3C7260776E21FFF81BD665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:28.125{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0884DFDA092A63B07CF25AEE0ECCB09B,SHA256=33920EE3FFDC72FA516D1EC7B59690559E05ACC1FF47650B2C2F98C3B19AEE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:28.756{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0018F7365C3FFFA764BB7B5F2AADA9D,SHA256=68E414A9C83F3E18E21134893D2FD8A333D968A7C93E6286D7ED1A9F77E84321,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:26.729{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-21371-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:29.877{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF0DF895722DBD256E2D9C00C0430144,SHA256=8C3D354E706305E038D7C5B34A69E01C91C96B36A0C8ED559E2A109832896DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:29.839{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9598C617A08F0B3F13650D2415FC533E,SHA256=4A57D0BF3076877F3286633C6FDE52C91C62B93B282805B290A76A2CC09C9340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:29.140{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02EA0218809EEEE24D0B436B3D53B775,SHA256=89FF6ABB560090C67252EC51022ECDF082775B31FF6CF1AEACF37DE60724E295,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:28.690{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-12405-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:27.815{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27681-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:27.574{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-6307-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:30.992{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFB2C2A011C990EA1FF01CD40305C8AA,SHA256=B10DB096516F0B7CB47F318B56EB03C47123C3C20E3728D867FF5E5025E2850B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:30.873{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E5127ACB026AEC82B96426EDC9647E,SHA256=14E78E4770C3A24EC6CC1B0878DA42BA3DC590D1CA6148363BE793594DD93B13,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:29.789{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-17780-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:28.893{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-33788-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001293453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:30.140{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E45CA40FEAED15105076C64CCB98C15,SHA256=970E775067C6B04B7C4B421BED5B75373139E4BBBF1846FDB2DC7A49ECE06071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:31.891{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DDFACE13E0CD1FBF56DC67975253A11,SHA256=7DC75466A01E31B0D5C5C666A9BCE45B2FEE2468CBDC92E43A0EF5CD74E001B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:31.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD939DDF5DCA9CFF77481EDF5F16173D,SHA256=6C84EF175CB8D02A3DC50BF758A76759121D1DC585233CB2F31795EA7AF041C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:29.974{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-39976-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:32.921{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF12CA52A275D023CD1193CD7F20BA04,SHA256=03BFB5C3EEF708D599BD6880691476E16240AB7CC446516660400AA55EFDD49E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:29.445{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61775-false10.0.1.12-8000- 23542300x80000000000000001293455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:32.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844B0811184DA5C30E4C212ABA6D0437,SHA256=832DC4EAAAB20073E6C7F597BC173DC53BBCE0CF2430C58D65CA53187855D422,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:31.153{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59073-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001386462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:31.058{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-46205-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:30.911{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-23841-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:32.072{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C33BC575CE771EC988DE007340AF2BAA,SHA256=E34C779DDA581144C1452B9F7910FD5FFA3E258C59CF5249DBC38C11F48686FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:33.938{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F062DC4D497F94905A95963F093AB67,SHA256=C32BD681D4D5ACF4575C9519B9A112254BF1E9C300E7D52F6ADE174BBCE7F62A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:33.187{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466A996688AFB64B51B39A25E121652D,SHA256=DBBED8F95441079070FB783C646E04F6E6A8AC880647CB42E59A437881A8D1A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:32.142{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-52308-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:32.009{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-29146-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:33.171{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B51A0B33E8468FEAFD191D0F3E269BD,SHA256=0E47020067AE9C989125B0599392153B70844647E00683AE74E0ECC47885FF6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:34.954{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3988FEA19C168CB7A2AEA229F478B1EE,SHA256=CE2BA6FDBE0FE5D3A863575C2770B97F735C4ADC1C70748D9E77571C8A7278F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:34.253{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76F162EB1C8A24896AB42BA3B49F2332,SHA256=BC02EAFB7768552341E4C7F66864BD48C09078ADC7A4808285717A0A387E41F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:33.239{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-58599-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:33.093{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35097-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001293458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:34.187{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE552D4CBBC8F0E8669773B92B6CFB62,SHA256=9BC5BDF015223A1279C35801876206AC848FF748A6F5366FA9BC1A43CCFE4285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:35.972{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B0BA4520E1E2A391B8B1FE775FD6FF,SHA256=F6DD729C92971884EC9ED7D0C57798AE23A076F051C8A6812427C2254E977EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:35.203{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37EEA713F17B5B8D0A4CD5EBF5FE55C,SHA256=60C71F5359124D12BC290F6E4ECF97BBEA1696D63FC2DDAA816F9F48A3496E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:35.353{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=735C0B4B994221F87F87D93603D53289,SHA256=FADD5BC6FF865386092A820692B3AF02859AA9B91F07C26B36C7533B3943C53B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:34.186{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-40627-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:36.990{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D54CCD348AC9B3456F530170C519FD6,SHA256=336D65AE8A70663558217BEEEBCCEF35879C40D5D4467DCBBAC8437A73820101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:36.218{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF7AB6517558C5D0763B30B4A1C3673B,SHA256=6FDF33E717D02F0BD81082958D9F23342EE716095025F54DD1AF75780BF5BB70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:36.453{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCE930D7C8F9782743252B2988458C2D,SHA256=D5823BE833CB8791563CBA558F2E604221D8EAC80BCF7CCF780D8A9ED52FE444,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:35.518{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12741-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:35.271{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-46326-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:34.370{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-6098-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001293462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:34.586{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61776-false10.0.1.12-8000- 23542300x80000000000000001293461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:37.234{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D34AEBFC9C15C918C0D03F728E4946B2,SHA256=9EECA470F2F7C5A4C610CDE37BDC9FB6E82B0ACDF214D3264BABD3FBDA159111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:37.705{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44DF7C60D6FD577CA327D2CE8C02453A,SHA256=106246C2722F98006692310C1AED5346B2D602B093D131FCFBA79B40E2EEC698,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:36.741{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-19727-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:36.387{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-51808-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001293463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:38.236{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDDFAC96707108F108296C119D0C41E3,SHA256=E58ECA4690A1C8C02FBCA4885C850157CDD0FE7AE3A122514EBCA17C5491B097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:38.803{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD306AD17D2EF2B5A66DEE502667D1E8,SHA256=07C86238C34E3314D712F9D9005DE7F4717E638869BF13853E5206F6680F2A78,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:37.485{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-57452-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:37.120{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59074-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001386484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:38.004{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F16914C06762D78F9E6CDA68CE8D7AD,SHA256=629BCCE45107A8FB77598D5B63FC44BD48A8B969213A5A49C05B17091DF6EEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:39.252{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573C5831A3BA43733AF572D0668D7374,SHA256=8919D4E481C1E052CCA0A8BE40E04C65EA67D19DA3367CF7F966BBBFA3C8BDB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:39.952{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=751575B8AB72C97A44CADBDFBC9A8760,SHA256=E8764CB877A8A79C3FF4D54686D22F71F19607D675CAA3ABBD96202EE22A0E80,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:38.732{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-5039-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:37.870{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26388-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:39.034{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAD40FBCDECB4DF6F2A47E524ACDCEB,SHA256=807E58234736A74A04A8A655DFD844F3A79DDC0BD0FCB096A0EA8FE5A6D71E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:40.252{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF5A2693156028D61641E90960E5CC8,SHA256=33504F9259B3EDD5B542641419B01B9631F61C8DC84C1706DBAA94C8543B255F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:39.877{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-11133-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:38.997{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-32915-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:40.036{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C422173F53CCD5F3C259CEBFC7FC49B4,SHA256=82C3B19E558873277907F98C7A7B137A9E1FBDF21404C46E8127AF599281E168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:41.267{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF265B5A3BC53ACC246477BF1AFB5908,SHA256=44E2E2328CCF9FC6F43B9DD4CD60B5B4AE2D5837B6567AEE81AE89339E57853D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:40.121{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-39344-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:41.088{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=139B879992281813A47D36B2FB1B6345,SHA256=6D9215325242EF2367CC3CD371B025395724A40B810956F633C66B12CA950005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:41.051{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6984514E25978808B1F2D899F2A2F02B,SHA256=C49B0C15D7999AFFAD96184AA61E4D150E0C85008F346DB7C00EFBD43E3F3D5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:42.267{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70881412FF181E9F72DBF2354CC18D44,SHA256=3961A61D423BD6D1100CD5FA1CED65A9E556BAD9A11816AF2FBD181E16C33546,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:40.987{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-17184-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:42.170{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4304A5E1DD2804384AD019983BBBFE1,SHA256=0F4A463959404B08AB14DD798A7C201EB7E2595B848685AFEDB459ACF8FE31CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:42.087{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180CAF40D5AECA99D57BD4E7AD042600,SHA256=B80D8450BFBE4A6D3CCC40D0E7A56859F6810F51C420B695D1152CFF82F20215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:43.486{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734FFB469B76CC8DBA35CC398E7B21B1,SHA256=CBA8C9062E4FF0E12BEA252B30B87FBD3470E4B6D9CBE34285ABFA13CB279926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:43.502{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13064ADED8A0896189C67C9060B1DC28,SHA256=2F13AF1E66B7643DAD355F3D8278A634696498B2C0155DFBDCCADBFDA7CAA305,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:42.352{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-51575-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:42.106{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-23208-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:41.240{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-45730-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:43.102{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E1FB895DE0CBC2037A648E27DC0FC3,SHA256=EF44364324F70D409D3819FDEA826B254CA67E775A6D58DDBDFF4174F3EB5F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:44.674{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51044552426CBB703B1F191C323AF739,SHA256=C906DEF50D044A9B14764652A0C3FC68CFC24B7960C5815A252D7B8A9A6751F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:44.585{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=556435CB222C7F1174D35522299585FB,SHA256=24C3F1820419B33D8E3E77176B306C33520D560D49D95165A16F802ACE2905BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:43.438{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-58039-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:43.247{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-29250-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:43.148{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59076-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001386508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:43.117{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59075-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001386507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:43.117{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59075-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001386506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:44.117{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69E0768F8EFF5646D94C33BAA650919,SHA256=AC664A03D89889445EF00BC5D960A7BBF8B395F6EC6C722C8B144F5FA6C401B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:40.525{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61777-false10.0.1.12-8000- 23542300x80000000000000001293469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:44.377{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=91ECE090D5795D53858CF7D58F44808E,SHA256=735E4B11861B4033EBBFDDA97F5DA819849935A371DEF3BE736926C433054C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:45.908{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C78364F032E7171961F0A068922F6C9,SHA256=ABCC31050A4A932B6D7FF7C1E181ED3E758F94C061F272D4ECED479995BB92AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:44.731{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-36704-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:44.709{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-36574-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:44.685{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-36420-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:44.663{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-36212-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:44.626{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-36092-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:44.605{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-35993-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:44.521{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-5148-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:45.132{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C848EA6367B65B57806742E21D6B91,SHA256=0826524405BB1C1826B6F40F420883D0C1EC10807C78B3E446A3CCE70CC3EFB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:46.056{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13967-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:46.034{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13792-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:45.997{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13677-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:45.974{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13539-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:45.952{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13381-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:45.929{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13234-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:45.906{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13027-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:45.870{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12921-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:45.847{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12801-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:45.825{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12674-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:45.803{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12527-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:45.780{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12290-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:45.743{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12145-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:45.719{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11920-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:45.682{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11820-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:45.659{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11571-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:45.621{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11347-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:44.753{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.15-36818-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:46.169{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6C1C58DA39DC8DB9A5AC496F1745E0B,SHA256=CC5CE05BD2316AE193FB816DA766497B179A5D207B3A61D5D689E6EC781E743C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:47.330{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:47.049{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7118158E090064CF91D249E63F79DDD9,SHA256=55C1E92648202F9CD920C242AC7F5C182068683C9F43C0968A528457D295CCDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:47.868{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:46.329{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-15385-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:46.305{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-15186-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:46.269{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-15054-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:46.247{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14868-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:46.212{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14756-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:46.190{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14653-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:46.168{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14475-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:46.130{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14277-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:46.093{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14068-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:47.184{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1547E36BE2F1196E8221B9DB5A6566FD,SHA256=528C1925537BFFB4EECBC37CB8C97C3479F9ECE8DA724F062C5BFDF6EF9C77E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:45.572{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61778-false10.0.1.12-8000- 23542300x80000000000000001293475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:48.220{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08073DA5D9F24310BCC3A71B1E42DDD,SHA256=8A15025ECC509C0A4493E739E73F75BEFC8C5845D246342506A40F6DB51AA10E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:46.366{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-15531-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:48.184{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B87AC2AF38B9833B2D97913D7F86A3E5,SHA256=B1104D4C8052A25C3BFACF0666839FA100F089BF3D636809B000AC93CAAA9634,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:45.666{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61779-false10.0.1.12-8089- 23542300x80000000000000001293477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:49.330{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B946BBF303C49A99D2625931B89FD4,SHA256=35C1EB9E3210C2683CE33ABDDC8A5CFA9FC98EF9E35AF123DA475C5A44BA753F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:48.844{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59078-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001386554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:48.259{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59077-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001386553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:49.199{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23888124668894CE41BDA45B8452D915,SHA256=1EC008FB9F417AA81B4A720581C3FE6794A9A7CF2DB43C9F0EB7FCE0EC7F042B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:50.345{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D16BF9176E1EBAB612BB2467FBC2F4,SHA256=289C8AF2CC3A1A175632C391CE92D2E306EB86020202C9247F8162E76066AF21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:50.230{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06C1286C2FEC704F939931112056AB1,SHA256=8A3521991647802D732AB87999A4B39EE85CB5238007D2B499C7B4D5273A65D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:51.245{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DE7E6DE10B5ABABE2AD17D65A65893,SHA256=97CB7C62FD00C7A46D87AD7D034134574671A991A62AB931673BA4FB67145A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:51.361{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6222A257A46EF349B039326333C0AB6F,SHA256=ACA3D1A363E847EEA9103D12B4BE7E058174B01E69790E6A1C8D94D05A4B2637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:52.377{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC62D76E4AC726AA11478AA5741720D,SHA256=5524ED9BDE6870A17EA165A61DA561ED73771F2A0FCC384F26780046BF2C18E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:52.263{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDA8BD825FE15305CE01B6D687FDBA5,SHA256=1F79B901D57DAA63D4B5D00E703AA8B6C9D644E0D23C410B9E67052E13082EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:53.392{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49CF62470B214F5BE4A4EF7AC8EABE0,SHA256=A9F35241EABC9589DC6E331D934D135F77B86AE1BAAC113691BA69A765C3E34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:53.312{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F137B75615025E7D8321088E1594A8CB,SHA256=045C2C89B202693299C43E7BC364A099657D88BEEDA96D013F0CC5F5D83E1E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:54.392{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7942FB64DC7281E5387EA158005F3E93,SHA256=76C174CC363B47A53D9EB7A2BCD54A8AC0DA766BD6D42C31A558C7AA84913660,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:54.126{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59079-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001386560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:54.360{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACDCD39940092979F7EAF2D1DB9FE5D,SHA256=6F2B93437419D063A591E65B171FABB1F55D89FA05BB373392B2E3D13CA89094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:55.395{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF504752AFE2E40D7811EFFCC0710C44,SHA256=EBE438D5023563DB43455130DC37D878E5E02F2A88332A05467C885ACE0150AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:55.408{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB9F4CBF94634ADD5F17FE77BC8B16A,SHA256=6FCBA0E60D76233BCD4C07D9EAF96B38FA23FEAA4E4DA5A2BE20B281A8331917,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:51.525{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61780-false10.0.1.12-8000- 354300x80000000000000001386564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:56.229{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.76.146-41631-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:56.426{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1424F65CF3446EA7E308DF01041C950,SHA256=4549EC6FCBB91EB5AD9A0F3944500C107E19B470EB69905248521ADD353310A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:56.408{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCF2A6D7DC7BDD69EAAB9315975A51D,SHA256=9110C8A776EA55186CA2D500846B1B02C4B3529BD1BD752A59DF765B9F96BD8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:56.397{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.76.146-43286-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:57.459{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08DD4BEF575C77BF358358C99EBEDD0,SHA256=697655C5339C3CB72470D79B669BC038ABC64913FE7F84FA0995663C4635858A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:57.423{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA9777F3644462AF2F7063074754A7E,SHA256=7C6609CB9A95FEE3A5D7A51E87B03D54F99564D047326E49CC371797C63173AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:58.439{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C0A591D3B5C6644E3BDB0249B7AD12,SHA256=AF3D350129419BB0B3D5EFF1EB51D40F39E9276D3A11AFE286FA40D011EC2BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:58.477{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70FC57EFF25FFC46D46E88A945CFF6D2,SHA256=D08C46158063A1143AFF51F6D965C7DFC78A7075A97CAA9BCA866618C55583E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:25:59.477{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F5AEFE8ADC97BC43E8BBAC8045D4CF3,SHA256=3135FF8EC375043ED12063948C3F7ED02580E76E89A88C333AA2E2FC0271A1C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:59.439{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6AA011089891D6275CCC5129A34D717,SHA256=85D0D4ECEFC42534776886686AE5965FD785082EDCB49A9E560B97D08FB18336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:00.492{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22121F6C5A98222E54CE32886419D05,SHA256=C0F9AE0031DDFD7F3823FE135DFC3E315341C1CC7E94C9723120B8AF42C2B03D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:00.454{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4347D174922A25C8CBD54EAF0143D7CD,SHA256=6B463EA9BF8613EBE286DC05F242A3729D966390B4C2308A7EE208D55E923ABF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:00.076{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59080-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001386570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:01.507{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739D3138B73A375E895554EAF7A25BC8,SHA256=566F4110F4F51AA1808BF61D49FCD9EDB48B0A50D2DA0A83AC067066B8B56331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:01.470{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0837F761441B3D16979094C708CA26E,SHA256=4025CB5675690114F06006C1C5C9028CD2FFDEDCADF316D8F3C5B481A80E98A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:25:57.478{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61781-false10.0.1.12-8000- 23542300x80000000000000001386572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:02.515{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8E38828881FD4AC0FF79AF4DEB113B,SHA256=7EDC5698CD4CDB4E3CA2CA932FC66CFC816A8BC00B2C0BDC70F454C4714D1BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:02.486{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5B48E6683DD83EF04F1B470AE83263A,SHA256=C534EBD05C34696E1135DD8C0ABEFF2372EC1DD4533B449DB8D2FC8809C52145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:03.547{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8847C7660F2B918B59814E826B839024,SHA256=8761F9D60B426EF167CF0EDEE2AA07A5E027A6AEA0C59522B113793BB2E1D63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:03.501{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D675464D8948E9A2E6ADD0A9936E57BE,SHA256=35649CF967D3E63B4EFAE7B49549B39366B98B0DA81B4607C8370DF96C9CEEFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:04.517{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE002BAB80B187FC780FE844B51DF82,SHA256=0C7EC0440D03D777E9A0A93772C89E563D4EF786613072F50FEEE36064674407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:04.565{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB20C7AF581E713868B363D642A99587,SHA256=351759A559A7EBA1BB6B83643E08D48085C195B32C181ED2F766D25DB4CB43AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:05.517{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FDEEE9C3550802D66FEEFEE7AA8B95,SHA256=EF9D8B32B0CAD6607826D8B94DBA2BC5827B6510CD4B6460C500F6004F061161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:05.583{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E6A73DB5FF1866F3A2591C7B1DA00B,SHA256=1F1C55FE28D33712788EFDB4A4AB3C02B6E5C083D1C4E85C333FBD8B441CCD48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:05.145{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59081-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001293497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:06.533{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CC1EB723F688919908BDE4B7F46B3A,SHA256=9D93DAC7D899856BA621900AC04F6DFFDEEE6B13FBD1D0AA26D627CE99630CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:06.597{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03235D68580941401179572A840B714B,SHA256=FBB8B2751F41090319D70080F934FFBB5F02EAC7D64BEADD4D2DEDF14EA372D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:07.612{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5255BB76ECBE45E7D56ECF42109DEBDF,SHA256=7F846BD9777A2A75D4D368F8CCCF1C47F3D78346BC216025D55907D5D69F9433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:07.548{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A966F493286E5E8FD2C656A7276D9E21,SHA256=874AE72496B2570B800830607B02FE109F2E2EE81D58ED045B2B3DBB3BFD77FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:03.416{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61782-false10.0.1.12-8000- 23542300x80000000000000001293500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:08.564{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA0D880985CB7F9245C3DADE4406907,SHA256=306663E110D5483741AA4CF66F6665EE83C77A3A76DBD37CB0624E85E5143D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:08.627{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1814C8002542E7298B6B8C0FFB53F5,SHA256=DB959E0F2E0B2CA6D008B83754CBEF5FEB0DA97E4E3C0EDE593FD6537875385E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:09.579{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8E6D89635B6A259CEBBDC9750BB0D0,SHA256=42EB0C6AADD29128657531C6469EC3232DFF604CFA550D1929C9153AF8F32B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:09.642{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4906F4DE923B90D87E11F4C22651FA,SHA256=B0D1F73C79145C40613E9C269F1F6ECDA97BF88F26293ACB1DCAE71BD2993691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:10.595{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26FD647F7C76EB54A1CA6FD42948C21,SHA256=8C19527E48605CB69902E13A37A836EB1B46132859143B66C6112B5E52D57F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.910{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CBA3A3A659258649E7B77A8B38D50E15,SHA256=0F80FAA50F415820F9307FBD3CB4E021C589CB1502F7E462E5B2E0BFB0DA9F6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.694{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DFB2-6152-B128-00000000FD01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.679{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.679{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.679{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.679{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.679{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DFB2-6152-B128-00000000FD01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.679{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DFB2-6152-B128-00000000FD01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.680{5EBD8912-DFB2-6152-B128-00000000FD01}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.663{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0100E3B924401F3D37453CBDE296321C,SHA256=E30908C10924C435094B2E4FE46829DE263137E95A458694B27DB4FA070997FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.410{5EBD8912-DFB2-6152-B028-00000000FD01}42605556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.179{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DFB2-6152-B028-00000000FD01}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.179{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.179{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.179{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.179{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.179{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DFB2-6152-B028-00000000FD01}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.179{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DFB2-6152-B028-00000000FD01}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:10.180{5EBD8912-DFB2-6152-B028-00000000FD01}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001386603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:11.092{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59082-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001386602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:11.681{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE04D7CF8A9642543D98C25B6B0935A,SHA256=F77F52C89D9A893E75D7C2CB8F10D9E9DA28E8C090A6D675ADD78C2CCBF613FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:11.642{69CF5F33-DFB3-6152-A3A1-00000000FD01}7363320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001293516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:11.611{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D8C4D34B049455E9C48D4761CEA2D2,SHA256=81B26B432E22F0A0BA58BE40FE80103C843F121D24B5494DD193720B63F38A63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:11.470{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DFB3-6152-A3A1-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:11.470{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:11.470{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:11.470{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:11.470{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:11.470{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:11.470{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:11.470{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:11.470{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DFB3-6152-A3A1-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:11.470{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:11.470{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:11.470{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DFB3-6152-A3A1-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:11.455{69CF5F33-DFB3-6152-A3A1-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:11.196{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7B5413166CD14FC946BE37402485347,SHA256=E6BE22733FF31BFB24B3238E9CAA9DBE3606265821922895F951B39673112D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:11.196{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D550491EEDD1196308959772F4F83A18,SHA256=F90379CF7D425A12CC19A51B49FB619DCA53E3B05841701E549B7429DA4FE8D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:12.712{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DFB4-6152-B228-00000000FD01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:12.712{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:12.712{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:12.712{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:12.712{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:12.712{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DFB4-6152-B228-00000000FD01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:12.712{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DFB4-6152-B228-00000000FD01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:12.712{5EBD8912-DFB4-6152-B228-00000000FD01}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:12.712{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D7A005E4C8EA9573D85E10E7A9E892,SHA256=B7AF83776C1DF8519B5D3F171DB727CFC884F6337FA6C221861B813F911DE9B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:08.556{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61783-false10.0.1.12-8000- 10341000x80000000000000001293547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.689{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DFB4-6152-A5A1-00000000FD01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.689{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.689{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.689{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.689{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.689{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.689{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.689{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.689{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.689{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.689{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DFB4-6152-A5A1-00000000FD01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.689{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DFB4-6152-A5A1-00000000FD01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.675{69CF5F33-DFB4-6152-A5A1-00000000FD01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001293534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.626{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC19049C9C6E400EA057FD526CA0F79,SHA256=1F12F3B3AA895A7A2B002D102273E9CFE07960C2FDDA0025485D88C4927683C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.579{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F0AC0C2327FFBDF1E543A0765F2913F,SHA256=01BE20CBC755F00817C5F404B6E12C80FEC96FE96A20EBE07271CB8832E2E277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.579{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE13D3DBC65FFF0B38F94131737092C7,SHA256=C0A608843B3FE1C4FB51D81184FD23A23B8D5AA135A0B092E00649190FDBF17A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.236{69CF5F33-DFB4-6152-A4A1-00000000FD01}1004216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.080{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DFB4-6152-A4A1-00000000FD01}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.080{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.080{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DFB4-6152-A4A1-00000000FD01}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.080{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DFB4-6152-A4A1-00000000FD01}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:12.050{69CF5F33-DFB4-6152-A4A1-00000000FD01}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001293564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:13.814{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D477BE73B9F707453BE4E10F13C4A4E,SHA256=7F6E7521923A5382DD97017F853CB36B05A77930CE7F0D659763567B292AFAAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:13.814{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F0AC0C2327FFBDF1E543A0765F2913F,SHA256=01BE20CBC755F00817C5F404B6E12C80FEC96FE96A20EBE07271CB8832E2E277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:13.765{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D143A6E93232BFC22EF8025E03F15279,SHA256=6CCDB3E61530365F1C64A61269CF92628527C980CBA25479361D4E70C7983F64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:13.728{5EBD8912-DFB5-6152-B328-00000000FD01}47164044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001386621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:13.712{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7B5413166CD14FC946BE37402485347,SHA256=E6BE22733FF31BFB24B3238E9CAA9DBE3606265821922895F951B39673112D33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:13.397{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DFB5-6152-B328-00000000FD01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:13.397{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:13.397{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:13.397{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:13.397{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:13.397{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DFB5-6152-B328-00000000FD01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:13.397{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DFB5-6152-B328-00000000FD01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:13.397{5EBD8912-DFB5-6152-B328-00000000FD01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001293562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:13.565{69CF5F33-DFB5-6152-A6A1-00000000FD01}24443428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:13.376{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DFB5-6152-A6A1-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:13.376{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:13.376{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:13.376{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:13.376{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:13.376{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:13.376{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:13.376{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:13.376{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:13.376{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:13.376{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-DFB5-6152-A6A1-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:13.376{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DFB5-6152-A6A1-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:13.361{69CF5F33-DFB5-6152-A6A1-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001293592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.954{69CF5F33-DFB6-6152-A8A1-00000000FD01}25643352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001293591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.954{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6219469C5CFD8BF3AF7106F056F21F56,SHA256=D730C757B1669D2571F695CB846B406086CB4D3827E169054BDF4E94705AE286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:14.780{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E746999884C65ADC5DB51C73414871FF,SHA256=628EA32185D8135B1EF9E02E05E5B6B3B7EFA613BCEEA81D9C23912807380274,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.751{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DFB6-6152-A8A1-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.751{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.751{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.751{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.751{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.751{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.751{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.751{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.751{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.751{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.751{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DFB6-6152-A8A1-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.751{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DFB6-6152-A8A1-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.737{69CF5F33-DFB6-6152-A8A1-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001293577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.064{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DFB6-6152-A7A1-00000000FD01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.064{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.064{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.064{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.064{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.064{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.064{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.064{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.064{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.064{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.064{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DFB6-6152-A7A1-00000000FD01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.064{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DFB6-6152-A7A1-00000000FD01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.049{69CF5F33-DFB6-6152-A7A1-00000000FD01}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:15.811{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF745F3CFB8EC8A70FFBA62565F1EE0,SHA256=CBAF29E32D6D6EACB5A783848D4BD5472164062236DA0C020D937BC84B5EB795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:15.157{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=199B341947B4D101A54FECFC4517D660,SHA256=475FBED02A17D0B6A368EB877884861C6ACA306C655C49A7998F65F781BED9EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.109{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59083-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001386647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.954{5EBD8912-DFB8-6152-B428-00000000FD01}60046744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.949{5EBD8912-8CBD-6151-0B00-00000000FD01}640584C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001386645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.865{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\pending_pings\02f004d1-357f-4d41-b968-0381688b6f33MD5=B3DFC69D948CA9C3E1859BC10F938297,SHA256=445464C302406B17EC030CAA511CE00BAF133E0AFE19D7A77E3D6CD4BDAAEB01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.842{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695CA7C16870D596B6B161F3DF2329E6,SHA256=28A13E6C515980951FFB2ABC42F4BD124045EAA25E97A81A13F9C28EFF27C6E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:16.426{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5726MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:16.065{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5887180563A1F2F8130305A34FE579C8,SHA256=D009877A8B359F42814BB9CDB6C5D058624F8715FBCD669C88BBB3556ACBF3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.610{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\aborted-session-pingMD5=B1243BEE572DA07EC4C61F6B2A9A881B,SHA256=DD7522975C06BD32691ABDB6635EF39E33D6DC72EF730824836E18B099C81ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.610{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=48CCE5B44A8CB02D8F1E4CD160823779,SHA256=8353B602DBBD59FFAF72753E906961B52894D9AECEF7939C3376D2A2D9A3489E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.595{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=29A5A494E49BFF58AF05DF448E589C5A,SHA256=6DE1D0E9B9BB5691E6136A89333B8A871ED78144F977C56235E6E642558FBB3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.595{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=95DA1263AAE029ADB23B4D2209BDA80B,SHA256=612ADFD584145E11BCF64B908A4A9527EF5CE85731B23F56F783560CB9FEF6C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.595{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=F7F2C073F43FAD14BCA81B1145D33013,SHA256=29438752C3C21E23AE714EB25A597B32AC8D5A9EB10B898FBABEFDC86080F0C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.595{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=7BEAC38217A6A62AFE8E3EE66DB486AF,SHA256=A329C9CAB8B812C60D5B5EE5C52ADA399FABBD75CF7B181B90B15EF2FE04AB32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.595{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=D232A0AC3FC6E265E0AFE73BB8759785,SHA256=3C36A37F270BCDE4F04EB2E1199246A52F4F0359CE1A0C133A7F5AF97FCB6CC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.579{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=7C0BC048FE62D9B506FFD59EE564D402,SHA256=FE60735637F2FEAC8884D75D140D1C7835DED3C6B8ED2A1366D8F80CC9090D3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.579{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=68E1B6FAF0D5089186E3DD6A6CE9F016,SHA256=8FBD5D078DFBA56B4BF1DFF8C89312DE77DB319C8090F6D95E367FBC92A24F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.579{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=E7474004CD439F14F5627B725CE1885C,SHA256=B95466A6FAB399FE1B6C2C3BED993C3818CEC69450392AC03F065DF201C4F59D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.542{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DFB8-6152-B428-00000000FD01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.542{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.542{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.542{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DFB8-6152-B428-00000000FD01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.542{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.542{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.542{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DFB8-6152-B428-00000000FD01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:16.543{5EBD8912-DFB8-6152-B428-00000000FD01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.860{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD81B97984FACD1418C1E86875130072,SHA256=07E62AF650A6CC3AF2A935DC8A76056C7D21BF85A4B466BCA58AB524600DEF3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:17.440{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5727MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:17.282{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D56A052E895329D1B9BA2CC2F248CBD,SHA256=71BEF20F3AEAA4C526F113999BFD65EBEAEC53670EA3E4C76DE41DF85B2FF337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.598{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E7BBD99D3AFCB0985019A4296693D8D,SHA256=3433D3E4EABC0674BE91ADC7E55AC92FD8A80873235109DF23033B2F19E25622,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.545{5EBD8912-DFB9-6152-B528-00000000FD01}63405072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.377{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DFB9-6152-B528-00000000FD01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.377{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.377{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.377{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.377{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.377{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DFB9-6152-B528-00000000FD01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.377{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DFB9-6152-B528-00000000FD01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.378{5EBD8912-DFB9-6152-B528-00000000FD01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:18.960{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E700235B0A679EBF08E10A51C072DC,SHA256=CFCDEEF50953135CFEEEDD21ED015DB4097EB8639ECE75F2189744D85C272680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:18.286{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3892FB23591B88B9D19C94A2E5039EA,SHA256=A8945E192BEEAFE4CD48CAFE0B78AC7AF4ED32C1F25EB57CBF9D3422E85D88B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:18.113{5EBD8912-CDB7-6152-8426-00000000FD01}41725064C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:18.113{5EBD8912-CDB7-6152-8426-00000000FD01}41725064C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001386664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.619{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local59084-false35.244.247.133133.247.244.35.bc.googleusercontent.com443https 354300x80000000000000001386663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.617{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53748- 354300x80000000000000001386662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.613{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local57727-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001386661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.613{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local63683- 354300x80000000000000001386660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.613{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local63683-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 354300x80000000000000001293598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:14.542{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61784-false10.0.1.12-8000- 23542300x80000000000000001386675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:19.997{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE12D0A8344A1503582FEE1E19A7188,SHA256=F54C181863318E7CD68CAEF94F061E71ADE84AD46A1EA490BEB8D20E9395CEEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:19.411{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A3030FCDCC54C9CCDD40AA0A0C7A30,SHA256=9F4B9C594D8F70783749C80BB0367190443D742F16381D768A5FF17134F57CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:19.596{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1409MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.944{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59087-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001386672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.944{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59087-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001386671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.852{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local59086-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001386670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.852{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59086-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001386669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.837{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59085-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001386668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:17.837{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59085-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001293603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:20.646{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311DD6012B1D3B7AE0BD183EB71727D0,SHA256=0494D2D457CBEFA3F60C45D00817957B199E2EDA5A088362617AC2B93BEBB783,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:20.118{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261785-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001386691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:20.594{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1410MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:20.561{5EBD8912-8D2A-6151-9600-00000000FD01}46324120C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:20.561{5EBD8912-8D2A-6151-9600-00000000FD01}46324120C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:20.550{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:20.550{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:20.550{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:20.492{5EBD8912-CDB7-6152-8426-00000000FD01}41725064C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:20.477{5EBD8912-CDB7-6152-8426-00000000FD01}41725064C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:20.013{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DFBC-6152-B628-00000000FD01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:20.013{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:20.013{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:20.013{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:20.013{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:20.013{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DFBC-6152-B628-00000000FD01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:20.013{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DFBC-6152-B628-00000000FD01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:20.013{5EBD8912-DFBC-6152-B628-00000000FD01}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001293602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:16.517{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com44610-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:20.083{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F5E62EF592182B12B94259267380813,SHA256=1032E30498B10239620A9161FB514AEF6DC52A0D5B88398614E5E3F39C456DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:21.724{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E1BA47B627E43EDC2275DFE7FD41A1,SHA256=088A936B0378E061E24FE5C3959C709419331638D0197E1C01F3B6C6C5232DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:21.030{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A50B37563D246714A3325A39543C2F,SHA256=CF684969536030F630D0D50BC01755B141A9B28EC336DD446D0333A6E6E6B3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:21.014{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18B4E3A17EEE6581DF305B10961E1B42,SHA256=E94EB7EC788FF0362682413498973DC6863181222818F3D4851B25A9BF0F3E28,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:17.425{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61785-false10.0.1.14-49672- 23542300x80000000000000001293619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:22.740{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE9865CDF9E2EC3A2575CF679E2BD62,SHA256=93C7FA30AB9306134A12F0D23E0310078EAA94496FD5026506D8CB95CC321C25,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:22.044{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59088-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001386695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:22.029{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA52E1077801E68FB18BAADA20E4D0B5,SHA256=F8D18EA63D25016E96472DBEAB6A6811DD72485C6131E297E263CE49F3F13CD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:22.505{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DFBE-6152-A9A1-00000000FD01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:22.505{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:22.505{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DFBE-6152-A9A1-00000000FD01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:22.505{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DFBE-6152-A9A1-00000000FD01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:22.490{69CF5F33-DFBE-6152-A9A1-00000000FD01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001293622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:23.755{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D68D41D5F2014EB761F8B6312AF605C,SHA256=B7FC421DE1941A650D165B92B81DE7D2EA08D3E985BC09749DF1804BB3E31A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:23.044{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D5FC4F4E817E04881801F0D20C1D6F,SHA256=A1385EE28C302A7B305F6B556D549F21205C75E8FBEFB11600C3B1AF2FBAD86A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:20.404{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61786-false10.0.1.12-8000- 23542300x80000000000000001293620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:23.552{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EA49AB8BB7070C5E8DF22C7042CB9EF,SHA256=3A598034934984FE834150A569C5FDBD8B01B276871BFFC26B40EAFECC93D8B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:24.771{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62EC1B72378D1145568F6DB240204BD0,SHA256=01720A9C78CAA67381905E35B7F0DD4D255FEB3F50658DBE4C55A9D06AE5463C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001386699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:26:24.228{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b44a-0xe7ebb96b) 23542300x80000000000000001386698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:24.075{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2E7A4E2B1C806F9CF40CD98B5D2172,SHA256=6C52224A0650B78228DDBC0C19DB7C44F4CE17E7FF88A34BC4049821C7281A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:25.786{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E817D2A7138BC45440C14AA178BD552,SHA256=3FF236B422AA018F4243F28D601E948BCE62AD59E533E942497A939EBE86FA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:25.095{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F655345C67174EE4D606EDC755BC52,SHA256=D718856A0BB03DD1776780A7D2D37BD5772687A01848FEDE186605F0A5DCEF19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:26.786{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1225BD892B606F0089064AAD02FAEA7C,SHA256=3D6B8B82F60E2A3CE53ADE5E6ADF9BE71699F0A8D503F4B94A8740A082E787BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:26.110{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B2D428A82E7A992A8C0F22584CBFA4,SHA256=41E38261315086BA90B023BF078DB70162202197739E6B55BE8B4D255EEB172B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:23.878{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-3594-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:23.854{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-3438-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:26.583{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C686ACFE412C62159FBD7AB639C1457,SHA256=56AAB06D8F3D06E5002A1D53482FE67F65DD74ABB6828BCF398E5609A50EEAD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:27.125{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC3AC118F1B3A2DF066431F907DF19A,SHA256=9CBD9FFC4601FFFF6DCE9B607326F512872A1D07D578DB6D1F9AF8B98A9E0505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:27.818{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CE7D6F46A1542ED142F9BA6D7811FB4,SHA256=1D9635E4227E85FE57204B45C43FC9EBED33A60B81897F5854103CF06600AECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.708{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0617678ECFA4231F2B6658125800C9BF,SHA256=15313D213D96F44D113FE544F1D8D4BD6470261C639CD9BF5F7E9F99912FCDC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.708{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2A5A6FC1D40A19012C7CA4F23F67511,SHA256=C016FCAFFFC13D1165D0CA4AEC2C6D9FEE998F87D1BBB0654BB7C145F0F83C98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.371{5EBD8912-CDB7-6152-8426-00000000FD01}41725548C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x80000000000000001386717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.355{5EBD8912-CDB7-6152-8426-00000000FD01}41725064C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.355{5EBD8912-CDB7-6152-8426-00000000FD01}41725064C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.355{5EBD8912-CDB7-6152-8426-00000000FD01}41725064C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.355{5EBD8912-CDB7-6152-8426-00000000FD01}41725064C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.355{5EBD8912-CDB7-6152-8426-00000000FD01}41725064C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.355{5EBD8912-CDB7-6152-8426-00000000FD01}41725064C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.355{5EBD8912-CDB7-6152-8426-00000000FD01}41725064C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.355{5EBD8912-CDB7-6152-8426-00000000FD01}41725064C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.355{5EBD8912-CDB7-6152-8426-00000000FD01}41725064C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.355{5EBD8912-CDB7-6152-8426-00000000FD01}41725064C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.355{5EBD8912-CDB7-6152-8426-00000000FD01}41725064C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.339{5EBD8912-CDB7-6152-8426-00000000FD01}41725548C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDBA-6152-8926-00000000FD01}1568C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c869|C:\Program Files\Mozilla Firefox\xul.dll+e4dd0f|C:\Program Files\Mozilla Firefox\xul.dll+116feb6|C:\Program Files\Mozilla Firefox\xul.dll+e4959d|C:\Program Files\Mozilla Firefox\xul.dll+e31230|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f3b4d|C:\Program Files\Mozilla Firefox\xul.dll+177e8a9|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1b5b9aa|C:\Program Files\Mozilla Firefox\xul.dll+177ed4a|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1d25067|UNKNOWN(000000E0C5A87C24) 23542300x80000000000000001386705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.155{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BACB0736774BBB227BA1B077BE6F13A0,SHA256=800F47E74A1A56FE53921AD3FBACBE9125404F3C235D7AED3F1C345B493EDE25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:28.943{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C49639A0883B4B17E3705AEDA56508E,SHA256=B7822EEFA5F977F86D6DB7650AD5BDFCCC70E372A3960C106C8799693A25BF10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:25.084{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-8269-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:28.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC513A8E34E957B46BA74C57D4C22052,SHA256=6148A8D3E2FE3C69678BA394C9D1F9635C285F5AC390AD732AE537C74FCE3857,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.093{5EBD8912-8D2A-6151-9600-00000000FD01}46324120C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.093{5EBD8912-8D2A-6151-9600-00000000FD01}46324120C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001386722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:29.170{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1E1116454A42869A9AD25BC2504EA0,SHA256=1C8C7D142536E5C50EC25841136898602D56F13A55C55E5C9034F0D4DDFD8126,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:26.206{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-12592-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:25.591{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61787-false10.0.1.12-8000- 23542300x80000000000000001293633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:29.036{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D34F6CC051CD58B5117513B1126800D,SHA256=7DA2255FB30A2B79DBFEBEEF8A58A8F5040E069B4E215BA379EE4CD17626C40A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:28.070{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001386724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:30.353{5EBD8912-CDB7-6152-8426-00000000FD01}41725548C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDBA-6152-8926-00000000FD01}1568C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001386723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:30.191{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805807030EC0BC29C8822F9FDA5D854B,SHA256=C5C55890C4CA31433808A35DE357BADC4EC84A0D47C249ACC2C48772C09397C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:30.161{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1FF1513968D6428D48E3990A1DF7D67,SHA256=1CCC5702316D1C3A2A13629AA8FED4FBBA3311398B5928DE9EC93E0C6925C5A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:30.146{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD2042B7AB96AA79DF271FC68881372A,SHA256=AEF70C415B033AF61CD1F967B4D3FF5075BE895759020EA3179D164A5909FE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:31.207{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3134D8234E0A3F9E992C0EC86DF418,SHA256=E510EFA8BD1EAF1AEB9C897BA1EDB72EE8F228B15CAA7D0BF3717D4D6A7106FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:31.380{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2B7EAA4574D5C3E57379B0B46BD4CD,SHA256=1B839AF29ADFF41AF760BC7922E314A755CECC4A05ED50CED290E83DFA82EEE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:31.224{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE88117E5AA9FCC335EEAFF35ED888E8,SHA256=0921EADDFEB502FDDD63B10BDF6697C8307A3F8133CFCA33C821A3AAA6FCF307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:32.614{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC34FCC0E1A92349CAD1B9C50AB716E,SHA256=5EE82DC36F776C9541C7AA3182E7A606E349E75EB46B901ADF6FA4133B5A3588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:32.221{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB226016A09406EACF14AA742A84DF1,SHA256=BEAE9CD7B5D38E6B68D6F19E80757BD3B130CCA0C140AD963F22CEF60FF539C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:32.318{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57D1E50E139804BFF238B02F425ACD47,SHA256=1E2F0488BE800EF1937D97980781DAA866588DD6DCF62544A4A5A7A86D889E47,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:28.518{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-21893-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:27.394{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-17060-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:33.849{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB73458016BC7C2CBE2AE4CCC4BB823,SHA256=426585122DC38B34FFA834CD179C0B0F25F2BE797BD442697D61234684379C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:33.769{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=84AFF16EECDF080CC541DF6849902C18,SHA256=1243E31EDB6AE0C7ADD7DFB58A8B5555DD6927E3F9D6A3B150BF0022B4A2602C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:33.769{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=EB905FB740A352460371351C09CF4729,SHA256=C0E9AF4CD1399A235D487F839C0AC0C92DFB634314B17C88C0FEDE2BCF3CF00F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:33.769{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B4D545C9323F0FA689920E2AD54D24CF,SHA256=78787A7B82690A9E8B4EA3594B3B87BC5D54A9A51C0D9BF156C7B6DD9754D78C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:33.769{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=139D44721AB87E98EF0ED4218C266A58,SHA256=A48DD806E9C4F1758024A1DE03EC5AC7B29FBD7923AA694D47DE6B7C17859684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:33.769{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=27FD05226D4D2F64BFA93A8F2F0C61CE,SHA256=9282A056C03157D41C353FBA612DB03E3ACC99C35F2E1B08A1540C4A2590EC30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:33.769{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=48C6E7184D59A40BC89B8EE10BCE2A56,SHA256=0A3CF14744A0640701E2F8FE64455CAD3FE45A02F31EE9E0ABDF392D17E94B6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:33.769{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C2B2ABC17CF2EEF32804F995C64BC831,SHA256=AE8B48CC986BC11141F48F1E8817215420F79F09C6DEC036E5E9090B3CF7D959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:33.607{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0617678ECFA4231F2B6658125800C9BF,SHA256=15313D213D96F44D113FE544F1D8D4BD6470261C639CD9BF5F7E9F99912FCDC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:33.223{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A391FE8261DA80AE54A96B91628CADED,SHA256=D289F76FAF3287639BBC15DD8D0C2F45E4A1490445AE73AA36614603D0D6005B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:33.443{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4D0699429330E2997ED02E9B3A6E138,SHA256=32F6E1289094A5C73CDF159769A649ED7ACA2B40D0C1D91455061B445CC93A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:34.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23DE48CCC75E8850642725906E1B853B,SHA256=43F334ACB541FC44BEF756DAD08D832545C360CE0EC2E39891EB27902777D351,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:33.228{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse116.203.178.8static.8.178.203.116.clients.your-server.de51984-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001386737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:33.151{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001386736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:34.237{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9D123CCE6DC462ECB0A8AF3852F036,SHA256=219A5B955704C5EBCC009C94FFE33C4878CFAC2A976076BA1A1E0619C615460D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:34.568{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=946C5BCA91B72D1134F3475A91D281B0,SHA256=5A523DEFB4850BB2CD924616DCB47910192076D12D9523195DB34C9FDACBAF3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:30.713{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-30349-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:29.596{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-26235-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:35.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F12F529056C020E61E0D4D6C4F10922,SHA256=E18722E389D8BBE93D0F0B0B762BF647144C233046A76DE3D97FBB64ED39A9EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:35.252{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD3F4DDCE7AF3E7F1D291270C687727D,SHA256=B4DCEADAC8296C441A909EC35DE2DA4DC1909DE1EBF9B21CDA8DA0B5EE2F5D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:35.646{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92B4DB06643E1803DF85F267D334F7D4,SHA256=7491B69369746FC27F63E1F23B9D92A02CBFC01A01839CD0257E025EABE6DA8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:31.829{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-34678-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:31.607{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61788-false10.0.1.12-8000- 23542300x80000000000000001293656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:36.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F7C1D04DEA1000993D7B8C890FD377,SHA256=7D40E0A77AE3279CA3AEA2835D0BE26A43B7104AF7CAE522B61B30B2907B70E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:36.267{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FCDCDD7650CF25CC6248180D03CC9B4,SHA256=EA62B5409E109EAAF6BE8302F3A7FB2651194393C7B3F2C792315E11CEEAA5D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:36.724{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CE0CA75F1F978C600B5FC746C7C5127,SHA256=9DDA16FAB10442CC7DC9F6B2FB977E7631ADD4F90AAA1AB396D5C71321347E63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:32.939{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39307-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:37.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A748B36B1287FCFB1BF6A95299A72D1B,SHA256=7BA7E617BA40570FBA95EECFA014A2AE8071FDD0EB7764ACEEBAAD6A1F224E69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:37.283{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A359596CA349CC06EA251577F4E4E70D,SHA256=5A19F3FD8981F88FDB9ACF74F966709C7CBBDFEBF690B47B2A5B093503CEB4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:37.818{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F4880BF4026625C94E9CA9DC8CC412E,SHA256=4B4B7F7E164C7BA22F2DF44BC0A94D828539AD369BE1D81984B6815F0923A58A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:38.883{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1C5308639502F6E4445C3CA8DBA479,SHA256=44AAB993C59C5D8456C476823C1F76D15D4DB42EB3728E9CF9D985817F873608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:38.883{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=429B9BA299759B1873634863D9413B79,SHA256=4C4E1CC5B81237C1F17EA1C9A525652859E8114F60DAE64D26D4E0A558C6D471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:38.786{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C0ADDE5CAF710F5E79DFF03262884C4D,SHA256=2221D72D4D784B47086DD08F523A3012A00E1E40CCAFF0B3421D1CF7930D70F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:38.786{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=26A02966959D9817239931AF656A6B99,SHA256=F2AF19A97458C18233A262F055EFE2ECB9D787761D03AF29BEF8E639C2EAF570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:38.786{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=26791AB3083BA45B4EF3CE8A9B402F63,SHA256=315BE13404CAF85A2E5D1072C340C586734A0A5B7F68DB08A900ED6C308F00C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:38.785{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=E5DE449360D4DF2F2EF95C86F58D9C3F,SHA256=FA7F8527ACFFCFC03908B1E9027D8B975B20FC8335CBE0BA75CD5C4E21A5DC4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:38.784{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6F31032FFCC8F82A745FA81A38F835FD,SHA256=BD7D4CE2193EE99C24BFBE162A650C3977616D7F9769F0AFF09519EA2F2FE371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:38.783{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B5BDE7DCFAD45ACE086A4BF6BA4AB614,SHA256=840C5AD15972D80C8406145898294DAD01E461C3CA07984D58A6BD2F7C67CF9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:38.782{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=2070F5F63FF7E958B99481CB347987BF,SHA256=D2BC5BE72A85702B93401530103BF5089128B3E271C1DDBBA24F0BA02F8569BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:38.303{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7489F1038A1B40249CB02646178A5ED,SHA256=B134542DE9D78E3DDDC273465401F3F5804A7B55E8942447D3828D042EEA8A14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:35.096{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-47667-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:34.017{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-43617-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:39.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFF04B8969027E88C39B315A30FDFE73,SHA256=C78B2E7070E51F0C4DD60E0AC22E1F245E614F6D371C4F35D11C1F9AA5FBBD37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:39.899{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E588ECF92871E9C00F4870809A707F22,SHA256=C0B44F44A71E466908DC29688CBEC6CB1B12E282FC940DC4540946CDAE803F97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.716{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001386754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:38.164{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001386753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:37.537{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse116.203.202.72static.72.202.203.116.clients.your-server.de53830-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001386752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.401{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CBFC66CE6088ADFAC46FC7D6D091E4D,SHA256=CCBB256FD38534A1A513F2F37629F013B61C4C7C6BCE6B40393040F3C039A1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.401{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=805F460BA608ED5E135A488162CF2574,SHA256=BB85C9C0C5E95AEFAEA74E77271ECD7524094BE528DB31EEC3BEB059609A269D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:39.333{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93514AE53B286BA1E6F79DAAFC804341,SHA256=82966F27DBA0111FB284C67B158F714A8033F8418FF9BD4FC727BBFCBFF3552E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:36.189{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-52143-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:40.899{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60425720BE462A08C4EFBACC8B43A4C,SHA256=099C6E4AD086050134F0A75D0AE1BDFDDCC60F2E31239825553FB50EBA034C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:40.416{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86F77E3C1632EEF1A3266B04FF942A3,SHA256=87061F8D0924F5EABE9560122323C9716464183EF4AA01329A7A8BD698AD4934,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:37.273{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-56650-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:41.914{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94AAF39A3703CF9F8DA15BE8F2BD315,SHA256=C5A125B2E21BE58842F8D8C7A54372C4697700FAB800168348F8424E5D650035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:41.480{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2352894196BF65C9435E204461EAE7C7,SHA256=03AFBCB08F2186AA9F3BDF6B6D2588EAD8C7B1E1C1F619004151EC681866244D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:37.517{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61789-false10.0.1.12-8000- 23542300x80000000000000001293668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:41.102{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F82DAEABD733CE24CB23759B833CDD7,SHA256=D1B8FCECAA0EFEEE112CE52BDA5673A6452EB6A0ABBC286CC26C2D4F45903924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:42.930{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4585EEFFE0BFEF775DC4F1BB7D01C4A4,SHA256=4A85255067194AF26A8449CBECDD41C12B326A6E9A5A4D91CA86FF2D30A4255E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:42.498{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07385DF0568EB084959368CA5CC97FA,SHA256=E4E2B8E73EE0A509A38A58B7676D3F5A6B10D53A8AF4D24054B8A62E028FAE12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:39.473{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-6158-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:38.368{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-1720-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:42.180{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C2003529FF3333D75667C353A37DB0E,SHA256=77E25780160AA6DC29C94244D9804BF5F4174A580CD4461524CFB5C00D84C8B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:43.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B2439677FEF6D1E969A51ACC03C683,SHA256=7E11B344DD105B11F67A32BC8ACC3EC1A49E906855E5B97D95BB5431E48E01B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:43.513{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7AC770DC8CAFB91DB43ABF944494DB,SHA256=1856B9957A5B8EDF3260627E0D168BB4841E8A9E71E94D316EA19F1FA761730C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:40.552{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-10566-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:43.258{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5F2ECDC8BF1E37B05A88D55335CB783,SHA256=BFAC9D75EA84EFF187ED05C48F6C066D17EC8B68B84F8E24DA65BE3AFCE1211D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:43.128{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59092-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001386790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:43.128{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59092-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001386789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:43.145{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CBFC66CE6088ADFAC46FC7D6D091E4D,SHA256=CCBB256FD38534A1A513F2F37629F013B61C4C7C6BCE6B40393040F3C039A1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:44.961{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07D5836C3C4FC3660D33DCE277A700A,SHA256=2DB93B675CE66E7EDA21FA6689C5057BF973670C519838F7B46C46F1FA4259C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:44.528{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC388C8A462A9D86FB63E05F24675C69,SHA256=48EF9B685BEB8582162C64F1D53848A25FAE0B32D36928745AA6D0B961123536,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:41.630{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-14658-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:44.383{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4259CD08C49DBFDE2AC61835C1C0F9D0,SHA256=62FD9EBFCF65964A3AC64DF64BD0A59EE5C92FBF17E00DAF1EB265937F7E8F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:44.336{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=860065A25047BD6623475F95B7E66F25,SHA256=3DEA302ED26AAD1BA8567578D53D7651DFC31B5F3B5F8A1C5D79FA7ADF7AADCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:43.175{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59093-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001293684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:45.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E77DC252647DE3025129411CE1B708,SHA256=F3CFB17A8608E23D238A5FB2E392846D8D6C5D0E9728C86CF42D1BE0CAE1A9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:45.543{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A97B0A79DE7A79690B00D942AF282ED,SHA256=0DE8336E3CFBA9EFAD50E9F2ED9468001E6F24A44D4A9418908B5BFB0D14C226,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:42.547{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61790-false10.0.1.12-8000- 23542300x80000000000000001293682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:45.508{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CD5221378AE6746D558EEE9E7F5BC45,SHA256=CE4522DC5A2685E94017F9298B369B42C0F01146951850184F564D42CFDF6452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:45.243{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6462C4CB943F35398497D5C1285845A8,SHA256=20C5D669F066262847E46AE652701C6278F460E7056A211E9473FA7A98D9CB31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:46.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41A2D010950F6C2330645209CBD425C,SHA256=EA45191FBFFB3B80E04E36751342FFCAD983935588395264880C54DBC9AFBDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:46.558{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746B895D3A6DCD259499AE5E2DABFFB6,SHA256=C7E4C12680016B34A4BCACA90A2A9A0FD3542BDAEB756F908E609FA22891DA8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:42.707{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-18969-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:46.633{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=233B91040BE721AEFE5651EFE4AB8F11,SHA256=40B1F0F9E15AE387D409E9D618E9C2860E2CF8E8924D9C7EAAEF34C420C8AA79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:44.886{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com40077-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001293691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:47.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0AB2656B31C3F69365DF7DB847F625,SHA256=61EBB60EDC32F97580067662040B0FF28BCAF246662C67001CC05A3C1A512580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:47.894{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:47.626{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7962E583948F75E5974F971FBDD7B420,SHA256=26D59498E1F4885642ED812CAB714B1F29752FA6C370443164F19B603873C6B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:43.894{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-23409-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:47.711{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B608E9DEE509296AF233B1DC0BA33C6A,SHA256=6250B4435955A02B3068DA05A2C6614B663D66E21B7620EE39BEC1CDA24E43E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:47.352{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:48.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C881C663675EF84DD10DC4A316978C,SHA256=FD9FCD3053B323ED7A0B4EB1B89EE28667BADF507D78356255E5D93829C404D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:48.627{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF72BE9B7FC72BDB270B0252562B8F2,SHA256=BCFE557966B10E041779BD470C659834BF1DC13983F79D49D3565407B61916FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:45.006{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27815-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:48.789{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B5E5AACD56F95835DD862E2B5A5BD80,SHA256=8BCF9EA8464ACE1ABD376CEF06E702E5A967849E649C8AB83184794F130FA0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:49.757{5EBD8912-8D68-6151-AC00-00000000FD01}5236ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=6DA1644AB3A58EA93FB6E44FCE99AD56,SHA256=ECC482849D9C3BFE7C39EECDF9C258424B26C0CE95FA8639D55FD0E245ECE1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:49.657{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF817866DC45EDAF8CCFA3709F5E75C,SHA256=25A2A65C85BBD5719665649FF0AF9D089BB9B673591CAA9C33FF7F289EE2652D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:49.867{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=614C140BC9AF2D770D88C8EB2CAD1E91,SHA256=18BFD1BCDED9DCB53AFE0CBE4444F530399F7E18D4D37EAEB066B123DD80415C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:46.083{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-31935-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:45.688{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61791-false10.0.1.12-8089- 23542300x80000000000000001386806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:50.694{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4287CE8B4DA04DBC31EB30FED0EE8821,SHA256=9B82E946C8235E94AAB7E19C3CF83161C88964CB0F4E88A736B86FC6DD13A617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:50.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F7C6CB26A87BD3B42297E5DC7EEE190,SHA256=01336B46E5CE66C65C083CB83557DC4B28240C34F3449E22166D2667D0A990C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:47.161{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-36108-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:50.008{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A2F42185F70CF0E73DBFF004FC21A9,SHA256=CC6DAFE3F001E49CF640E25070FC5C98164A1EF4985780E4E3D5015F680E9527,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:49.155{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001386804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:48.872{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59094-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001386807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:51.708{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777A50F7C70A1A6B3BFC7FFC4B88ECE7,SHA256=A89BF41FFD3B4B8765A7A36C600E076008A6ECDBA32BAC17AFAB2FB0B49B1F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:51.008{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50ED3088F6B4E80C67A2D50B3C30B991,SHA256=2309F9D41D6DFC60503485B8DBE20170F5B884DBBF0CEB5FFF12727D09D2218A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:52.723{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EBC75A38A2CEC9AFF1A998118D3BEFD,SHA256=08E959C8CC51CF8F0CBF30823DAEE50BF9CA3E3770F6855EB4507FF233C6C365,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:49.317{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-44245-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:48.485{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61792-false10.0.1.12-8000- 354300x80000000000000001293704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:48.238{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-40215-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:52.024{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F7539BEED45B6B176F0F5969EA534C9,SHA256=C275DE463BB9F398E40BE82F4993038DEECA9348B021BC1360E64BA10D520BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:52.024{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73887E9E6F0563E298270CBD19EC571A,SHA256=B6E6F305B92AAD230CFCCD5F42B933F959A46F2D2D4E8FEA7E07C350E9FED3EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:53.770{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC85A52A46BB54D5F441B9078FBB3EAC,SHA256=3A594E6CF1C6E6DF35D2EE9F33CDD9CCBDCD1E2391F6BD7D39AD84F653BEA19A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:53.258{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E5240318ABE75F859CD965E1DB3B41D,SHA256=2B794FE823360688EE0E57EDF79E81E0CC4FC9DF53D046541BECDF8F6E450A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:53.039{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C60392B6D75FB14E298C5BE3496D65,SHA256=6A7C95D8B92A26565BAC64DD0904ACAF9556EA1FAF527045EA3D52CD9F39D79E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:54.790{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99E200D294B7089A9A3131E8B98D37A3,SHA256=ECB951D9F4349AF516208CD77CDEDE4472967381E938A4B0F250015DAE657390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:54.336{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14BC792B2244E845E40A0362E6020620,SHA256=5E26FBFB7DC09025C3BF1004E8661E58AA43C3D495425720EC66A1EB3FDBECE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:54.055{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86E6345C9B6D006DB3944295CC28A81,SHA256=732E19063D98E313C980FCFC856DF5F399F8ED9E3F2FF3A2FDFB896BC6C4D12C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:55.820{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB31AEF7306048BB4FF49DD1BC668D4,SHA256=6475CEA199091B4C7C6CFC682B018A2A6ED32B75B1F8D13CD575B8442624F851,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:55.188{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001293714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:55.414{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C5E4A551C9FC4827A066BF1D9BC88D0,SHA256=486B1591AC491F320D7C2E9CB5A669EB54196FA00310EF0DA0AB1B414C3287F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:55.055{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7B1771ED83D2ADA2C82DF0FFD94E57,SHA256=A8CF82C350DEC76A3B00AC0B5A43BB5427EB2AF170885BE9ADC2A38ADE8F6EF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:51.629{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-52065-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:50.546{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-48310-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001386814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:56.851{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5E3CD384D170669DCDA4B02FF2BEA6,SHA256=2E0A9CBE21FC8749BDB9FAE29E81C3D44C66A741E734F2FBFD25173FCD78EAF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:53.786{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-1508-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:56.492{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1537363BAAD8038A4B3F0E4C694AD3A7,SHA256=BF34FF10350A2AD9B06B67A8F7CFD57D5B2779E45157656AE05C99799C9F496B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:56.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=147818BD5F01C69681E52F53544FE289,SHA256=F6F771355E6322964656529852FC8BAD6D71DEDA97301E6141CA553461A2E10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:56.768{5EBD8912-8D68-6151-AC00-00000000FD01}5236ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-28_092649MD5=96DBBBAF8A8D78D8E787D753A0A13873,SHA256=B16A99268A086F4F85D89953B944C4B8E42BC8FE7E34AB7EB3CA13324D8DC211,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:52.708{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-56485-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001386815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:57.869{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6902A59821A20A26B90962D158BD8582,SHA256=CE28204D4167931041D8ABC2585AFD9E7127D18FD6B783250C1B676E045898FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:57.617{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97DC1303991352756CDC86C391901DB8,SHA256=17A8613B729B6E8590E758950E157F96FC72620FC9B6EA33F6E8DCB6A778A7CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:57.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=479283DF68146B0B6DA39785B0B050D1,SHA256=C9DC8B84C713B591B6E43A36FA9EBA7D3A99244848306C7EBD26AC51E65CFC3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:58.920{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=522D68EB0EA2CC9BE61CD0000526D446,SHA256=6F2D3357CED518EEBDC46EBB83A545B3A9600B2D5C3C8DC2677E59F68155430C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:58.727{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F13CD58DDCA7E3625451B15F4680F8E,SHA256=5F8D8ECF8A42730CE089F0ACD180950E76D9BA15A6FA973BDA51D0FEA4DF7D49,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:54.878{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5486-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:54.532{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61793-false10.0.1.12-8000- 23542300x80000000000000001293721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:58.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A2FA3D9C7E0666F9BE6DF1F4347A2FC,SHA256=4C38242BB33835180B6595249C28BC8C90314D6800BC62C77F9633D50C8652B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.934{5EBD8912-8CC0-6151-1600-00000000FD01}12965380C:\Windows\system32\svchost.exe{5EBD8912-DFE3-6152-B928-00000000FD01}6988C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.934{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-DFE3-6152-B928-00000000FD01}6988C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.934{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-DFE3-6152-B928-00000000FD01}6988C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.934{5EBD8912-8D26-6151-8500-00000000FD01}27604704C:\Windows\system32\csrss.exe{5EBD8912-DFE3-6152-B928-00000000FD01}6988C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.934{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DFE3-6152-B928-00000000FD01}6988C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.934{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-DFE3-6152-B928-00000000FD01}6988C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001293727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:59.820{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AE2FB3C80DFEF7B637D523EC05270C0,SHA256=DA7F4B154C35DEDF4A7C1F3318993BE7626C56167EE37183FBD1E48ECA8F826A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:56.007{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-9580-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:59.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1526D8EFB830EAFA4D8BA4825F57D0B9,SHA256=37C91B9DF8C9788346A71D2E961E0E052C64481888E004056755848D41EFC6B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.903{5EBD8912-8CC0-6151-1600-00000000FD01}12965380C:\Windows\system32\svchost.exe{5EBD8912-DFE3-6152-B828-00000000FD01}2068C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.903{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-DFE3-6152-B828-00000000FD01}2068C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.887{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-DFE3-6152-B828-00000000FD01}2068C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.887{5EBD8912-8D26-6151-8500-00000000FD01}27604704C:\Windows\system32\csrss.exe{5EBD8912-DFE3-6152-B828-00000000FD01}2068C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.887{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DFE3-6152-B828-00000000FD01}2068C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.887{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-DFE3-6152-B828-00000000FD01}2068C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.850{5EBD8912-8D29-6151-8C00-00000000FD01}34085552C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001386863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.850{5EBD8912-8D29-6151-8C00-00000000FD01}34085552C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001386862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.850{5EBD8912-8D2A-6151-9600-00000000FD01}46324900C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.850{5EBD8912-8D2A-6151-9600-00000000FD01}46324900C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.803{5EBD8912-8D29-6151-8C00-00000000FD01}34085552C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001386859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.803{5EBD8912-8D29-6151-8C00-00000000FD01}34085552C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001386858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.803{5EBD8912-8D29-6151-8C00-00000000FD01}34083120C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001386857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.803{5EBD8912-8D29-6151-8C00-00000000FD01}34083120C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001386856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.787{5EBD8912-8D2A-6151-9600-00000000FD01}46326312C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.787{5EBD8912-8D2A-6151-9600-00000000FD01}46326312C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.787{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001386853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.787{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001386852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.787{5EBD8912-8D2A-6151-9600-00000000FD01}46326188C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.787{5EBD8912-8D2A-6151-9600-00000000FD01}46326188C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8D2A-6151-9600-00000000FD01}46326188C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0D00-00000000FD01}900932C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0D00-00000000FD01}900932C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0D00-00000000FD01}900932C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0D00-00000000FD01}900932C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0D00-00000000FD01}900932C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0D00-00000000FD01}900932C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0D00-00000000FD01}900932C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0D00-00000000FD01}900932C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0D00-00000000FD01}900932C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0D00-00000000FD01}900932C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0D00-00000000FD01}900932C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0D00-00000000FD01}900932C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001386833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001386832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001386831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.772{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.771{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.771{5EBD8912-8D2A-6151-9600-00000000FD01}46326904C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.771{5EBD8912-8D2A-6151-9600-00000000FD01}46326904C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.750{5EBD8912-8CC0-6151-1600-00000000FD01}12965380C:\Windows\system32\svchost.exe{5EBD8912-DFE3-6152-B728-00000000FD01}4732C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.750{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-DFE3-6152-B728-00000000FD01}4732C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.750{5EBD8912-8CC0-6151-1400-00000000FD01}10405628C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.734{5EBD8912-8D26-6151-8500-00000000FD01}27602120C:\Windows\system32\csrss.exe{5EBD8912-DFE3-6152-B728-00000000FD01}4732C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.734{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.734{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.734{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.734{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.734{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DFE3-6152-B728-00000000FD01}4732C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.734{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-DFE3-6152-B728-00000000FD01}4732C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:26:59.731{5EBD8912-DFE3-6152-B728-00000000FD01}4732C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{5EBD8912-8CBF-6151-0C00-00000000FD01}844C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x80000000000000001386894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.974{5EBD8912-8D68-6151-AC00-00000000FD01}5236ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-09-28_092649MD5=FA6C800588DE22712D354704C87CBC96,SHA256=238933E038657D817B37BFA2BDBA192556EBD8BB408209785A1069C33FF8F2BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.952{5EBD8912-8D68-6151-AC00-00000000FD01}5236ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=B267692733F6B8F1F817B7F6CB9C6831,SHA256=AE89E00D93ADEE7224A99426EF92B1DF92AF1D7CEB56D8B30E108E8F912A7E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.937{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=395D9AD0DAAE0B15591B121B8E3AD238,SHA256=7F35A056D01927068BC7ECE3A9F222E76CADB5E9E4CD46C5387AC5ADA5A55894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:00.899{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43D776FDE70AC52F8B96B2A51C473CC9,SHA256=3336E575DBED57E6853C1E45D8147CB55F07BAB98C2C815EE32BDCC8AB9D8B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:00.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3CD70CEC0147C9C9EE31FAE9229B061,SHA256=5E6E410143CBA67B732F7D1990D2A04459112895B94D4EA4A881D59E8D1B8560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.721{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8BD10596938FBD93C916098CE2407A3,SHA256=2B18EB5E20FB48E79DB0D200CF596599CFE33A9E492BA7DC53885EB32D0F4636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.721{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F530DAE837C3FFDB0C08F90B7916866,SHA256=42887EC1446C089804D397766EDD889520ED8F755A3521B827252938A6F40CFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.635{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001386888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.635{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001386887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.619{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.619{5EBD8912-8D2A-6151-9600-00000000FD01}46326940C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.604{5EBD8912-8D2A-6151-9600-00000000FD01}46326940C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.604{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.604{5EBD8912-8D2A-6151-9600-00000000FD01}46326188C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.604{5EBD8912-8D2A-6151-9600-00000000FD01}46326188C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.588{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.588{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.588{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001386878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.255{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4ED4C2CC6E405D7047FBFFDEDDBBE3B,SHA256=A4671FFFBAD15D365D9F7EA6E495C6151333A9D30A251C5F01E0819FD9C53BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:00.239{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=470479268E4490B92F76AAC63936633B,SHA256=C62746754FFDD339DB06FAD9701882AAAD53F7EB9D982E37A3AD5A3732ABA327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:01.951{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEFD89143AD5642810B402DA47386FE9,SHA256=C75D2352C6D1FFD403D632730959E3178C6DC2BAFA7F8A28FF43F6944BC79A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:01.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E881AEC43550CF065A6F9AA35D79CB1,SHA256=D86018D7163B0A0D2648CA8CA5D6ADFF8142BC9DABB49FAC3A676070E4EEE4CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:58.192{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-17349-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:57.115{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-13689-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:01.086{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B330121E0E03959E1C84BC7614882EA3,SHA256=BBDC9FC92C17F0C7C50A7A01E445AD03B0A21940E9866C9D0610389B576C5B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:02.954{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC77DA5713D4967015291B0273344B2,SHA256=FDBFE98C7E6EA09A1DB278B1344006B3CCDEE7F93E8641CA2E208A31DC0831E2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001293745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:27:02.492{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001293744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:27:02.492{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x150278ea) 13241300x80000000000000001293743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:27:02.492{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b442-0x9c6d7682) 13241300x80000000000000001293742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:27:02.492{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b44a-0xfe31de82) 13241300x80000000000000001293741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:27:02.492{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b453-0x5ff64682) 13241300x80000000000000001293740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:27:02.492{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001293739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:27:02.492{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x150278ea) 13241300x80000000000000001293738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:27:02.492{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b442-0x9c6d7682) 13241300x80000000000000001293737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:27:02.492{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b44a-0xfe31de82) 13241300x80000000000000001293736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:27:02.492{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b453-0x5ff64682) 354300x80000000000000001293735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:26:59.270{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-21010-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:02.102{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580E8DA955F94E938F9BB72EA223D05A,SHA256=03B3874430F315CD75F39C62F028C097650B3713CB20436C5FF0460C2DE9BD99,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:01.050{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001293747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:03.117{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB219C7BF3222FB7CACE7950E923159,SHA256=E897AB16B05F0EDE6FEF7B431D050D869B7D17BA77FCAD8EC6F7385292597FAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:03.039{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF23DC6BF946D5FC416C01E7BEE73296,SHA256=C0157D45B7C5F837FD9105E9F2F062A1AD8FD281472C88B369BCB617809A090E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:04.006{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F863AC5F24853D6DC57C4DD46DA2A2,SHA256=9715A0AB5D0E2ACEB795FC2101D2236C215B9E5F522227D7E66D871F00058D45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:00.438{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61794-false10.0.1.12-8000- 354300x80000000000000001293750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:00.349{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-25044-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:04.180{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4B3CC3589762668751E41A4B919D407,SHA256=57C99BB0F22BDB4CFB4BF5C02D93B6DA899DB98CFD9C303EBF0A31D7FE70ED91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:04.133{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C77927EE9E2C505DE38A9050C51D44,SHA256=B2E2B7E402E3DDAE55BAAD3C5513A12CE00D91AE85B391D9037EB7E536FAADAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:01.440{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-28844-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:05.305{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C78FE438AE500649E533C8A731604C4,SHA256=901A61BADBD1FF571A52EF7E41CF971644986C679E57346D3B3FC7204CF50BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:05.149{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3AAF8D7F72C823F6291BB420C29063,SHA256=9450D4F29D3805298A8C7948FA20112CEBF350AD7A880FC0A5B7CA80A49BEF38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:05.952{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001386911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:05.952{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001386910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:05.952{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001386909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:05.952{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001386908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:05.952{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001386907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:05.952{5EBD8912-8D29-6151-8D00-00000000FD01}41365696C:\Windows\system32\sihost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:05.905{5EBD8912-8CBF-6151-0C00-00000000FD01}8447072C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001386905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:05.905{5EBD8912-8CBF-6151-0C00-00000000FD01}8447072C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001386904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:05.905{5EBD8912-8CBF-6151-0C00-00000000FD01}8447072C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001386903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:05.320{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001386902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:05.320{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001386901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:05.320{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001386900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:05.320{5EBD8912-8CBF-6151-0C00-00000000FD01}8442824C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001386899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:05.020{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC7232B930D526AA01A4ECF2C09C1CA,SHA256=3FBD6DECD7EA460D688DDB67F6F0086373CEDE5A1780CD3F2B1479682BA28FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:06.430{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7558D671E8F5D6E9C131AF2815827C0A,SHA256=59F94EE3A2D63C745EC0856FA0898DCEB8BB0C03D3AC7D28371CF13B4156B55F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:02.566{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-32900-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:06.164{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9AA61717C36910386247705A524B7F,SHA256=3559CF4CA7C6EC0CEDF7ADECAC5F6990842949F8B3590EDD409F96C297E2CD8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:06.187{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59098-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001386913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:06.036{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AFA9A78ACFBCEF5CF7CDF00ABD11DA3,SHA256=3BE8AC88B8196E0072BC1DF88CF924F193F8F54855EDF05221DFAAB07DFC15B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:07.069{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9B27B6F3DD2EF1E438BB6478C2A54C,SHA256=76841F242686FA2B8A5F76E8269E78E0E42E0AB90167F4DCA22A91790F286280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:07.617{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F6A1A9EEDE724A9A12CD9C13E9383C2,SHA256=5AB74F50ABB529845D495A5E61ABF43308D6E35B8D7B093D27C619D316F3756E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:07.164{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F84E8879E4204720AC8668FDD68AFDF4,SHA256=7D42F74C2C89CB1B2B1C9FFD4AB5F25843CA77A2BE521D9EDE1484631D577CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:08.088{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D966661898C7054FCFA589EEFF92C54F,SHA256=BEE01AA7D7062971B28CAD86A6E4708D6455F7FB002191EBCE951A5F40A2F18C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:08.711{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E085AFC5B66DCE7D6D3182A5309DD65,SHA256=CC19DE400239A63D90206BCA2FB73B9C907EA52BBE6DF9A46A2DF22B64D05BC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:04.900{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-40888-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:03.691{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-36852-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:08.180{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7923EDC2797F86B0BF161B4B0CD267A7,SHA256=6D0E2982C91557EAA650A7441E168EA6D5F49F7CC93BA77412F4971B5010C00A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:09.119{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A116ED1745DF9F4F99FFC4E46D40297C,SHA256=CDD99C926E8742A156A7E146E34E5F5C9C9A68EA31ED72DC62848A766B20328B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:09.774{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2084582E74CA0DC2C1CD679C061330A,SHA256=E62CF00322C00AC6B1A1D4FCA99B30F87F1B1CE68919E0C7ABF1E4057600AF77,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:05.990{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-44410-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:05.563{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61795-false10.0.1.12-8000- 23542300x80000000000000001293764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:09.195{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D7F7A4025B5AB5FC374C07BFA9A098,SHA256=3081CDEBFF145218D5C89B5CBB94716C57E17104642026E01A4BB0D5E524440F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:10.914{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46A56286A7F165BE22566AB19B97035A,SHA256=C7CE0AACE1174DA1D7B4DC3595AA9C293B19C1892418631DADC800CE321CDB04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:07.083{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-48524-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:10.211{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE64848F207987A09D6F7997C58E169,SHA256=D29355AC250F468A223C2ACA37D07B26D0427A4E5D6739E19C4A0E36E1F60990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.917{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D069FBC9A2737D228105CE106EF63485,SHA256=A46DBA9CBE71C9E1F4E81539B5DFEEDAB08CB320363C71E518EFFB7007957E9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.848{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DFEE-6152-BB28-00000000FD01}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.848{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.848{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.848{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.848{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.848{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DFEE-6152-BB28-00000000FD01}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.848{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DFEE-6152-BB28-00000000FD01}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.849{5EBD8912-DFEE-6152-BB28-00000000FD01}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001386926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.186{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DFEE-6152-BA28-00000000FD01}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.186{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.186{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.186{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.186{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.186{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DFEE-6152-BA28-00000000FD01}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.186{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DFEE-6152-BA28-00000000FD01}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.187{5EBD8912-DFEE-6152-BA28-00000000FD01}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:10.133{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BBAFE05AFCE557FADB435EB6B3F5CF0,SHA256=84B91B9E0FE07A463A0FB4B14C4F57DAF232483B74DBA2DD7D27F8B6BB3B6DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:11.992{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53BAA5BC54FC15743B6878BB4DA6FF4D,SHA256=697145B40EE04048A330857B6817ADDD43010A2FD086D3D8620735B86742DEF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:11.602{69CF5F33-DFEF-6152-AAA1-00000000FD01}26602568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:11.399{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DFEF-6152-AAA1-00000000FD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:11.383{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:11.383{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:11.383{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:11.383{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:11.383{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:11.383{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:11.383{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:11.383{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:11.383{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:11.383{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DFEF-6152-AAA1-00000000FD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:11.383{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DFEF-6152-AAA1-00000000FD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:11.369{69CF5F33-DFEF-6152-AAA1-00000000FD01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001293772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:08.175{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-52289-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:11.227{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09456248CD4E79EF8A9BF7E21E4591AC,SHA256=E7B1FD518003D25CFD37E1A6EF10986E0E3F891A20918EED8FDE021A3CF21066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:11.206{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22741052E8D0D354FC5528FA3C9308BE,SHA256=F398987E2734D110756ABDF829D2BA969590B8F122E874E54EE5223CF4F98A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:11.206{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8BD10596938FBD93C916098CE2407A3,SHA256=2B18EB5E20FB48E79DB0D200CF596599CFE33A9E492BA7DC53885EB32D0F4636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:11.167{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23839463479908837C8A7E68A7DDEA9,SHA256=8210C16E6401F422A87CB8F953878BB4AB46B7899AD2B4D2C1C289F84E90B3D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:11.134{5EBD8912-DFEE-6152-BB28-00000000FD01}54526952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.789{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DFF0-6152-ACA1-00000000FD01}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.789{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.789{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.789{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.789{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.789{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.789{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.789{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.789{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.789{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.789{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DFF0-6152-ACA1-00000000FD01}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.789{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DFF0-6152-ACA1-00000000FD01}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.774{69CF5F33-DFF0-6152-ACA1-00000000FD01}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001293802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.539{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52BD6643E4922F81B298C555400DB25,SHA256=B7567F5C18692364F12CC38E6927F9CC2C41A53BCCB791DF353D4E4AFD6E4205,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.320{69CF5F33-DFF0-6152-ABA1-00000000FD01}25323836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:12.968{5EBD8912-DFF0-6152-BC28-00000000FD01}21323624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:12.721{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DFF0-6152-BC28-00000000FD01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:12.721{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:12.721{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:12.721{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:12.721{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:12.721{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DFF0-6152-BC28-00000000FD01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:12.721{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DFF0-6152-BC28-00000000FD01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:12.722{5EBD8912-DFF0-6152-BC28-00000000FD01}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:12.237{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECD1BAE3C307F502B2AC49D6D9C7786,SHA256=7E6DAEF2FD9701D6E3F7B56D3B2794586C5521040CBAB2232238955A1A5E48DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.102{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.102{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.102{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.102{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.102{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DFF0-6152-ABA1-00000000FD01}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.102{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.102{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.102{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.102{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.102{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.102{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DFF0-6152-ABA1-00000000FD01}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.102{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DFF0-6152-ABA1-00000000FD01}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.056{69CF5F33-DFF0-6152-ABA1-00000000FD01}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001293834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:13.758{69CF5F33-DFF1-6152-ADA1-00000000FD01}35243164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:13.477{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DFF1-6152-ADA1-00000000FD01}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:13.477{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:13.477{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:13.477{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:13.477{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:13.477{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:13.477{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:13.477{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:13.477{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:13.477{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:13.477{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-DFF1-6152-ADA1-00000000FD01}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:13.477{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DFF1-6152-ADA1-00000000FD01}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:13.462{69CF5F33-DFF1-6152-ADA1-00000000FD01}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001293820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:13.461{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B431A3D1407D1EA9E63387FE4EEAA2A5,SHA256=E96106462917B104C6BDBD796F71EA8DD45B8CB92D2A985AB93F81CACAF77655,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:12.219{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59099-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001386966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:13.737{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22741052E8D0D354FC5528FA3C9308BE,SHA256=F398987E2734D110756ABDF829D2BA969590B8F122E874E54EE5223CF4F98A4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:13.389{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DFF1-6152-BD28-00000000FD01}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:13.389{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:13.389{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:13.389{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:13.389{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:13.389{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-DFF1-6152-BD28-00000000FD01}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:13.389{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DFF1-6152-BD28-00000000FD01}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:13.390{5EBD8912-DFF1-6152-BD28-00000000FD01}4608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:13.252{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07ADD7C695132CAD99A1BBF5E067E56,SHA256=5C2B21301580E04942763F1C5CB739008E9CEEF9CC29AC13274E3F2233E654DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:10.590{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61796-false10.0.1.12-8000- 354300x80000000000000001293818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:10.379{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-1215-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:09.287{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-56323-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:13.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=430C8D4E16FDFE40A01596C07B15C570,SHA256=7E81E4C31CCFAEC2E61895656DAF720C7BC50C36D90592E48B3D04CFFB23F8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:13.105{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=EBB2ADC46562E24E7B87DBE3F357D98F,SHA256=8F2344058DC7FE6AE5C07258B67B5277772047596FF60F0F96CF4CFE7233E93C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:13.105{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=E6D8EB8FFDBE1E88619668DB3AE10C45,SHA256=15B1C3BAFB8CFD5829408C71910F431D0B0024C3808B0475957FBD5E5C5080B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:13.105{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=8AF870B88233E5382774BC0042CF3439,SHA256=7BF9333055401B4840F19714EFD2EEEABB79DE041BF53696EFCEC84F05DF53F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:13.105{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B185D69C420DEA1CEE3825680F864F61,SHA256=D6A1572CA293C4266FA2C044CFC13C8E95F050981DFDDE45051A27D46A2B9120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:13.105{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B6B0E226A88D7FCF1BAE4B8AA4E9546C,SHA256=AFB4B4DB9F86895F83C3A4F33E8E27F05937A9224AC35DAEC65D91BE7592CBAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:13.105{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C3A2F66969A417AC5C64A3C14857F447,SHA256=F3376B81803568058CD6B5C91AE73FB9C7D3164B1C933C8AE277E4D6E1C300E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:13.105{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=FC827D4FF1E7D4CD0836F79FDEDE72E3,SHA256=A9902D50A72D8E35F7376D5A465389698858ACAB74DCDACAB09D738A3F9CE311,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.883{69CF5F33-DFF2-6152-AFA1-00000000FD01}30443104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.695{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.695{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.695{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.695{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.695{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.695{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.695{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.695{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.695{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DFF2-6152-AFA1-00000000FD01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.695{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.695{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DFF2-6152-AFA1-00000000FD01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.695{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DFF2-6152-AFA1-00000000FD01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.668{69CF5F33-DFF2-6152-AFA1-00000000FD01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001293850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.664{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFAE56F0B0FF00DEB7A2D6EA1BFFFC4D,SHA256=368B76323E55B5E6EC01E4A3972D55F04BA57F8586253E9A6D8607463437B8CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:14.273{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF297A9A2E2EE727E1035FB8A0D39422,SHA256=5BC43D9DCD5E361D113A9228C8932E407987B2E89654AC3C5B17141A8D150DA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:11.504{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5123-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.242{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2BB2BBD5DE89B12F4DC2CFF4B02C900,SHA256=BB31594408DC18D7EC207AC4853A98ABE5B512CD7408FC6EF53BCA6AA8BA781A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.164{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DFF2-6152-AEA1-00000000FD01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.164{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.164{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.164{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.164{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.164{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.164{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.164{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.164{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.164{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.164{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-DFF2-6152-AEA1-00000000FD01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.164{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DFF2-6152-AEA1-00000000FD01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.149{69CF5F33-DFF2-6152-AEA1-00000000FD01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001293867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:15.680{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB2AC0309CE050F7EE8A125B319926E,SHA256=16EDB3EAED4812A3F27E223F4ADE82DA792D4A86B59923BEB3BB564F83919791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:15.288{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C74A8CB88FC820267959E7777461A4,SHA256=65B503DD12256D6A0A1B537EA279BD1E487E7702F90E2AEDC344F21832E9F116,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:12.614{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-8821-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:15.320{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8E1049CF4734C3370774570E1F23C1C,SHA256=FA8FC929B03A81DDB9D1986D38BC21FC6BE712E579905BE46C8D38AEE3B726E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:16.820{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35F00785EB7E0E33943EED13CF9E922,SHA256=07AB2F341E79FAEFB104580C24753A02391522778A6F1F4AC22FBD2391C4E114,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:16.749{5EBD8912-DFF4-6152-BE28-00000000FD01}67846400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:16.549{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DFF4-6152-BE28-00000000FD01}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:16.549{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:16.549{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:16.549{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:16.549{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:16.549{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DFF4-6152-BE28-00000000FD01}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:16.549{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DFF4-6152-BE28-00000000FD01}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:16.550{5EBD8912-DFF4-6152-BE28-00000000FD01}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001386970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:16.302{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99CA0A09848F7507BCE870867EFBC45C,SHA256=5357DC3FC01679CD922C4F2113D100975BC4DF6397217BE268F24172877868A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:16.399{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11C3A5B441BD53AC739ADCCDB0895BB3,SHA256=5984A278940F08C2AE595D00059B9215EA25D7BB1E02C2BDAB4E92F5F50B4970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:17.965{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5727MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:17.838{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=404FB80121F419B0746E27721947C953,SHA256=D177A9C902180FF6D179F8906169CC2F01BFE23A408E427E3970CEB77FFF1B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:17.551{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F7DAABCB9B95B46ED023A82CA1DA4C0,SHA256=4B52EE38ACA451BCA22378F8B6DD0D9AB21BDA550B02D5690600A269D527D149,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:17.404{5EBD8912-DFF5-6152-BF28-00000000FD01}53407096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001386988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:17.319{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8C7DFF9EC56ADEAAC6B4690F53E11B,SHA256=BB9A078753AB53846BC9E29A98E747067119472F7EE44CD5C76D0E3FF0377DF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:13.692{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-12570-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:17.526{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CB698C9B81294119B04FBFEDA878944,SHA256=E4B872D444ECBC7CF8C10EDA405C963505AD28A3F1092F0B9F76D920BD69EBEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001386987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:17.204{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DFF5-6152-BF28-00000000FD01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:17.204{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:17.204{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:17.204{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:17.204{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:17.204{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-DFF5-6152-BF28-00000000FD01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:17.204{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DFF5-6152-BF28-00000000FD01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:17.205{5EBD8912-DFF5-6152-BF28-00000000FD01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000001386992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:27:18.634{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b44b-0x08596ae8) 23542300x80000000000000001386991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:18.368{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=072FD637604A9A21F0B6B41B971DD0DC,SHA256=8680679864A5DC692947E3968F16B23E53FB4D0CEBE57B26D334B9E972B2319B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:18.968{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5728MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:18.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E30FE317C7922F5A43C2BEE815F21371,SHA256=C27F9D905C0AF1451DCF45DA5190306CF7BE0C76C6C83A3A29CCF0F11DDB8F3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:15.594{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61797-false10.0.1.12-8000- 354300x80000000000000001293874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:14.784{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-16237-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001386994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:19.402{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85BC49E8097359D50640E063175F337,SHA256=EE37A8DA58F9D48FB1CF88D8B8ECE2B7CF844B7F153B1A6DE9D91E4C21C3BA32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:19.868{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F349A0E1EA78C8924E2D6F52A67FA2EC,SHA256=838A05A2FD2F2C8531FCEE4925033FB8B2321C2C64E36455BBDA8F25D4CB84EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:15.911{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-19942-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:19.037{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E9DC99E43A0BE08EAEA87F5E98459E,SHA256=8061918E0F1FB9CA6348BFF767CB5C8E149146A00479192707EBE1FB25B93C5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001386993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:18.149{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001387007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:20.417{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F642756C19113D633A43C9BE2514E14C,SHA256=B546CC48BD90F346B4E231604EDBCF4A19F896E43311B70C5E3D6445A5F3CDCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:20.946{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DC5BA2E015CEA38226CE6AB7D5CDEBB,SHA256=19F0D96A35C3A683F81AFFAC3E2D8EA9D34FA1C53A30EF208B4FC231228EBB08,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:17.162{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-24015-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:20.040{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4D9CE31655512117C5FB88D26B875C,SHA256=D0686C1E607799A557A0DDB1739D01BB454FF7042238166066315C0885AD2303,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:20.332{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:20.332{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:20.332{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001387003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:19.616{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse20.101.57.9-123ntp 10341000x80000000000000001387002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:20.033{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-DFF8-6152-C028-00000000FD01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:20.033{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:20.033{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:20.033{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:20.033{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001386997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:20.033{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-DFF8-6152-C028-00000000FD01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001386996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:20.033{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-DFF8-6152-C028-00000000FD01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001386995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:20.033{5EBD8912-DFF8-6152-C028-00000000FD01}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:21.448{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD0A57D8BEDFF4DE395C13126F6EEFE,SHA256=2FCE68978809288DA350139DF679489DE91AE3A3E77522358B4E6B61736401A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:18.240{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27419-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:21.056{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95B7023150BB084829F69C1B34017AA8,SHA256=E4F4FA2A9C437246C09EACFA30CDD672B00F46C96CBD40035A45C3989C2E0F3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:21.134{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1410MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:21.066{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03394ADA88F9D6365E1DB5793092DF85,SHA256=222F3D2D8AB53171F9F4DCD8B696A3015D638C1EE7F667643563CAF11A411740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:22.465{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8276721B5B0B17217111741BD6FE3C3,SHA256=BB65A7B087C93F1D424F9EC6BC5096A7804C4080570C7CA511866E32F72CA033,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001293900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:22.368{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-DFFA-6152-B0A1-00000000FD01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:22.368{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:22.368{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:22.368{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:22.368{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:22.368{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:22.368{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:22.368{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:22.368{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:22.368{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-DFFA-6152-B0A1-00000000FD01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001293890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:22.368{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:22.368{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-DFFA-6152-B0A1-00000000FD01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001293888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:22.353{69CF5F33-DFFA-6152-B0A1-00000000FD01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001293887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:22.056{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68012203003A06013314F639647B182B,SHA256=5B0EF7AC5F0C94687C0B9B672C37107042FA0583D95FD4F4A81F9B8A80EDD385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:22.135{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1411MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:22.024{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7290F16ACF4CC907DE143C901EAA95E,SHA256=3C88B906B8A4820161860D76F8CCD9C2EE53E55283142CABECBF64B479AA52CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:23.500{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD01F4725A83CC77259DA186D4D98BC,SHA256=E0DB2E1CD1EB81FC07B76AC92F7169EAA31F56D0ADDA065072F3589A65877D39,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:20.397{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-34551-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:19.318{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-31045-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:23.103{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF0A965F1750AF6F058BD4E4B86307B5,SHA256=2E5118A187763B6D04223B4CF1145DB3BEB185433F84AFD6E254FE8BA68AE3B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:23.071{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA20743F5871914BF3AFAFF42D02C0F8,SHA256=5813F62DE1E44173356B52D2AC89E5B26CF979237ACFB6D2EC81066294015FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:24.531{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF636B1021FD6343FF4555516BD9A53C,SHA256=6759E4F2C64F0147AEC76F1768F9200F77C46E47BEEC46E34C8457BFAE04C062,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:21.579{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61798-false10.0.1.12-8000- 354300x80000000000000001293907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:21.488{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-37961-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:24.228{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38A528CACE39522EE7DB44DCA8D83C6C,SHA256=798E615C8F58529E31EB60D7C90443FE6C94CC8F5426B2D13323F963641D3F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:24.103{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F40798665A1157895C8BA2610A4433,SHA256=AA248C6FDA41B9F41B092BDD5B589197CD94FF3FFC26AA70472EBDB7C94B2CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:25.566{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4376FDD8E1233374585F40B32D23F028,SHA256=441369CA0E7588BD49BBF9BC090F3FB4E4CF31D3B8C62BD3DA8F8D8B28BB6463,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:22.599{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-41610-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:25.306{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04C5FA58B9A03B20EE376CD9E85CD03C,SHA256=4FD7A312AD9632AA11016F4ABCE4B433CE080A5A8B766A31332A42B1131A6160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:25.103{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E208D941F162422C0097AA6928A73B,SHA256=BE0FCB9AB2928DB5CDD165255BA9C8B9EF387ECC4305BAEBB89DEB360B190E55,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:24.183{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001293914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:23.677{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-44936-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:26.384{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9648D901B1369AE1DEEDB66A7FD3047,SHA256=FA76E94E5039C351FCB23B4C737D01B1001B5EA50A9CD22A1E16582F611EDF40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:26.103{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5D0340D5851C1F2B8591693C4820AD,SHA256=08B83A310693B06E8F7C1E688E9F00B96A6B3A4E72C2B8FF2046F3B029CF796B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:26.583{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A2E98D621D8532D84AE5D7CCCFDB35,SHA256=7643E72AF24A2E28086ACBE9774A5AB20A4130259F316E4C00BB07A2FF5B5C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:27.983{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6BAA1A58C9889C07D6667F773EE9F779,SHA256=2449B2C3B13815DCCADF3A977132BB9DF395058AC2B9B4188106CB868D6DEA3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:27.983{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=445437A45FB1A2A2F2F166E2BF1BA5D8,SHA256=CFE85F53A52007F5097DBFF64F94184BCABFF146B29ACEEEDD045A88B34EA192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:27.983{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=0250F852A1E351E9738FEFF3445EBB80,SHA256=7C2A798581E36537F76EC64F8869099B2CF5B9086C01C2AD2BD185DE1F1760BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:27.983{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=A3BF5B3CF67451BCEB63E8A950057F03,SHA256=225743AC3B90F516AAD9B8FA1FEB3A7D14A8D97F56B17C76324B3988AABAD1FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:27.983{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=F766D3B647EC454F02102C9D1681520F,SHA256=4E6895B6FDE4E5D887CCC0D697D39A7AE995B555C63A49A89FE73E670C5683B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:27.983{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=0832948EB88DD804E2EEADE966E7111F,SHA256=4CDA793665F34723EB11E4277C55942AEBA4C6D2BAEF5CE4E8CC38728153D48D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:27.983{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=07FF223B03D33730F405635D20A76D35,SHA256=A9FA53EC77A63ACDC81B063274F3C0F5FC39A3FE7C6C1633CB1EE06A29775207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:27.598{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED0A747083E5BAC8BD750DF8CAED4B6,SHA256=DD3223026B8E55862FF989BB5A4FFE9D6B7F9D0660C6EE2F2214BBCE275DF831,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:24.770{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-48352-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:27.509{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10B2D256C41D3CED81C8692D208B32D3,SHA256=3D96C845D21B7F761B15FB219AAC067527A3B43D422B61882B5FE220A3122140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:27.165{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E127BDE4E8AED6DF18E04708BCBCCD,SHA256=AE9E1BC438A23512AB66A95AA40E37273B5C45766F2496F25F64B11B20D0D877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:28.664{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF864A960F4DA65DDB43D9BBEE96EF3,SHA256=6FB6330D9D58E1D639C0360792F265A9C59F7C656723DADCBA2154F52E0CF2CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:25.880{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-51782-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:28.587{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B2528A0A13446DAD8A7279891F9D387,SHA256=4FD7D46075DEF9457AE47FB458E72A11BC34C1651C239D630A763C7AE5AC040E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:28.228{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3486BCA3A568296F77965C5D088B5030,SHA256=7370EBFA2011B5C36B9C3281F7C30BD97329B47353C8DC21EF8B07F9EC5829EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:29.698{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584A5254A95A98B6F1BB1414C1D5F424,SHA256=2AEA707FBC67EAFC01423E8B61C813329BD053EDBD06D73A87F222C660CFAC24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:26.958{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-55125-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:29.665{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32DED89A43312762E7255187594CAE1C,SHA256=681324C128E9A162D1408B39A73AD35B8620C7DE9D01445053CC3B91420C9C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:29.368{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB53DDC32E5EA00AFFEC36AF6D33E36,SHA256=6E5821D438AEB61BFEEA7CD93DE3031CC40A175E2DD8D44122C0A4E7AD0107C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:29.298{5EBD8912-CDB7-6152-8426-00000000FD01}41725548C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 23542300x80000000000000001387030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:30.713{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD88D485640B4123A3A61272D0F5F2B,SHA256=6D56E9DE85D761FEE8A375A63EA955A42B813628201961C23120522EE66002AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:28.037{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-58427-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:27.424{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61799-false10.0.1.12-8000- 23542300x80000000000000001293925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:30.743{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26298F9A7F0137510A0EDDF8001307F9,SHA256=799DA35D1B5DBFDC240BD525AD15436F6D113B530E05BC159A3D9A3069F48890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:30.384{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9162304E49A6F3F0F6895EEE5D2F2DB,SHA256=37BAB2B202CC06E2DD601A89DF1FFA89AAC3C95C0FCF64B1AB6B2EACC27D24B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:30.097{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001387031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:31.743{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771762126F68E8CD6233C75D958B16B2,SHA256=FD6C5B189D8D9A0305E84388F8307E949F5D5CEABD5C2513556C4819708E7F9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:31.821{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB11681B4BFD28B45A29592117FD1098,SHA256=08BD83968C3CB13FEFEE9F21A98B9DF646D3055D9CC7E3B46F80EBA236B1E1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:31.399{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F56C401807453279A5318E3D64D705,SHA256=A1CBCD97F4256054018DC4FD690EB7ECF0DC39456CC36144659EC16CF73F3188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:32.744{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71D82ABBC9FDA15ABEE0203210CDF5F,SHA256=3A340FB86BBCC6877989DACA249A09226246944F677DACE42872345ADD2B40D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:29.114{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-2694-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:32.899{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB2AAA1A5A0FF92CF8CA65C6A69D01B4,SHA256=7068BE46E86248BD9E3E84CC68B6E24F9A9E92DE248BC1CB93E76F443258FE03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:32.415{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339E71B69626080CF97DE82ED6E3CF50,SHA256=7E25EFB063317CDA580F9F353E14B034D9EBE449D6E49DBA4CC637C6DDACD92B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:32.513{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C311BDE800AF1C3045ACA6761E02113D,SHA256=7D58B514ED3885F3E586DDE0EB2D2B0B89B0EACF05A24554BF6BF214946F9732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:32.513{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C702C7E80A82C3F9F9EC0FA46A2A03D8,SHA256=58AA120DA91043EF5A2A415B9B28C00CE011DE835EDA0C68AB0D5F438A80167A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:33.762{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88CDD6D9C1DEBFCE993D7599B7202904,SHA256=5F88546EABF082D9880CAB50F80D07E90EA76A248B5478D25E78DA48B4322EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:33.978{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44B632F67DAF24234D982C603541C5D3,SHA256=0628C6AE1A2E91C765E9086F9B48A7CB38399B50200F0A5B8D99F5CC8F86B9EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:30.193{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-5908-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:33.415{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4CACE4610D65510DBB9E306E372749E,SHA256=292B296793DC7DB5D14B90EB5251A52AF04B99E7EE6FDF8A88437BCF5309830F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:33.612{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C311BDE800AF1C3045ACA6761E02113D,SHA256=7D58B514ED3885F3E586DDE0EB2D2B0B89B0EACF05A24554BF6BF214946F9732,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:32.437{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-57908-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:32.400{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-57604-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:34.780{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B3B8FADE3EB258E070951A75DE3CD4,SHA256=96F752977272E5F04BABC7B07A1EA640D241BDF7EDAD7C88EE55AE2B1BDDFF2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:34.431{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C93D104D65C28AC320DBDA8598658F,SHA256=39B5AB40985FAD1AFB2118F3A3324876C835D75971A54896EE03BAC32C11AA39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:34.696{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B8CDE2A0CB9498A7D0DD3FBB00BA20A,SHA256=8557B54FD18B44701B7C6DE5EC40596361DC3116F5DD110B5A918CCB29C8A14F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:34.427{5EBD8912-8D2A-6151-9600-00000000FD01}46326188C:\Windows\Explorer.EXE{5EBD8912-D0BD-6152-EC26-00000000FD01}3012C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:34.427{5EBD8912-8D2A-6151-9600-00000000FD01}46326188C:\Windows\Explorer.EXE{5EBD8912-D0BD-6152-EC26-00000000FD01}3012C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:34.427{5EBD8912-8D2A-6151-9600-00000000FD01}46326188C:\Windows\Explorer.EXE{5EBD8912-D0BD-6152-EC26-00000000FD01}3012C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:34.412{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-D0BD-6152-ED26-00000000FD01}2084C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:34.412{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-D0BD-6152-ED26-00000000FD01}2084C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:34.412{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-D0BD-6152-ED26-00000000FD01}2084C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:34.412{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-D0BD-6152-ED26-00000000FD01}2084C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001387051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:35.796{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4142F82265C8A85B7C8EB9ECE4FF5C12,SHA256=696802815D5F57FF70EB1259048B35F626375203E4653F910F3C74D63BF7DC0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:32.348{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-12245-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:31.271{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-8989-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:35.447{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99FC01CB5E87CFBDD0D21DD086378AA,SHA256=1973F40EEF4105941F23E9D56E81E2DC970D9D913F133F4AF34072D5E8082FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:35.780{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2294A1FDF270F436D97BF9444837417,SHA256=FF8C4DEA1D6B899AAC8B24D3FAB90C732D0FAF84D9E5720CEE2199CC85A9CAA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:34.634{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-10925-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:33.548{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-4931-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001293937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:35.056{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA8F4CD6F6ED4B24AD9132677A28CE30,SHA256=5FCC911C21906A6E9F0212AA2D09E2DD4198EB3CACB660D343690320D1FCE171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:36.880{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD5B09AA292A5E18226AFA3C344C1DD5,SHA256=105B3C8D086066B09F5C134D19D441D2C9F946FF015445869763FB305FFBBA04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:36.811{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2460EFCCCA281BB0E4BABF240319B4D0,SHA256=DFB98F09644DFA1DD0E0E665CFC0164AD53C249E336DA4F40ABD0CC00A43DFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:36.462{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30EBE856A8E2543A4C4D5F445CC1CAD,SHA256=DA697C5D08ADC9965E1C97CD2DF5E224F52A614F216C8C38AD61A284A7D01B55,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:35.717{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-16864-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:35.242{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x80000000000000001387072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:27:36.043{5EBD8912-E007-6152-C128-00000000FD01}6760C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=6087C6BFC035A6D7AD2E4B3812664949028BC11C9A520CCB04F4C23BEAB39F62 13241300x80000000000000001387071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:27:36.043{5EBD8912-E007-6152-C128-00000000FD01}6760C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 13241300x80000000000000001387070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:27:36.043{5EBD8912-E007-6152-C128-00000000FD01}6760C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x80000000000000001387069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:27:36.043{5EBD8912-E007-6152-C128-00000000FD01}6760C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x80000000000000001387068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:27:36.043{5EBD8912-E007-6152-C128-00000000FD01}6760C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 16341600x80000000000000001387067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local2021-09-28 09:27:36.043C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=6087C6BFC035A6D7AD2E4B3812664949028BC11C9A520CCB04F4C23BEAB39F62 13241300x80000000000000001387066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:27:36.043{5EBD8912-E007-6152-C128-00000000FD01}6760C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x80000000000000001387065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:27:36.043{5EBD8912-E007-6152-C128-00000000FD01}6760C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x80000000000000001387064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-28 09:27:36.043{5EBD8912-E007-6152-C128-00000000FD01}6760C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x80000000000000001387063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-28 09:27:36.043{5EBD8912-E007-6152-C128-00000000FD01}6760C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x80000000000000001387062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-28 09:27:36.043{5EBD8912-E007-6152-C128-00000000FD01}6760C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x80000000000000001387061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-28 09:27:36.043{5EBD8912-E007-6152-C128-00000000FD01}6760C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x80000000000000001387060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-28 09:27:36.043{5EBD8912-E007-6152-C128-00000000FD01}6760C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x80000000000000001387059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:35.996{5EBD8912-D0BD-6152-ED26-00000000FD01}20847108C:\Windows\system32\conhost.exe{5EBD8912-E007-6152-C128-00000000FD01}6760C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:35.996{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:35.996{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:35.996{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:35.996{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:35.996{5EBD8912-8D26-6151-8500-00000000FD01}27602120C:\Windows\system32\csrss.exe{5EBD8912-E007-6152-C128-00000000FD01}6760C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:35.996{5EBD8912-D0BD-6152-EC26-00000000FD01}30126820C:\Windows\system32\cmd.exe{5EBD8912-E007-6152-C128-00000000FD01}6760C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:35.999{5EBD8912-E007-6152-C128-00000000FD01}6760C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{5EBD8912-D0BD-6152-EC26-00000000FD01}3012C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x80000000000000001293941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:36.134{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7DF4F3A0FE4A0FC90DE2EC028B4FF72,SHA256=C78CDD7CCD06ADFB2CD934EAC2B927F164CD5200FF09F6DC255D337351CB7414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:37.960{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AB96C34F9532D499D2652AB69A25FDA,SHA256=04C668574A8D2DF5D0E26879F01475E1AD2F69FB02D05F8226B355F453698131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:37.826{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6B30E2F8F77AE0BD350E5A6F7D411C,SHA256=FBFB470858CCFEE7598E355C48FE19C83304B82181B5AEF2F9A26B8DBD079EF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:37.478{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=411E35E6EF0229539AD87E7C49FE9677,SHA256=D437AA2D0960A313036F0EF12F13704DB478B888F16CB115E895DE088B566528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:37.212{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B989C6BB7E5E2ECF2E52FDE96EB1DE83,SHA256=4925EEB43F4F4A3A9BB4809D0281202B392FB611080B531F98DE5A77204D6613,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:32.439{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61800-false10.0.1.12-8000- 23542300x80000000000000001387081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:38.841{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF4286159658D280109A69269656CF1,SHA256=E6FA2B8489F338F3118488B21839F41EBAB3BBCF0BB92AFAFC6CA90651DA9261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:38.484{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1CA008D2476DC278918F05E5510A88,SHA256=208F5604F5B0460951417ACF0DE71B320B157C1912405E69A5AED2A5A791BD35,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:37.901{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-28423-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:36.800{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-22682-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001293948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:38.343{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EAFD8A74719080A61CDC83018CA8C2B,SHA256=5ACDC34C8F4DB2C257224BA20438E7C9E7634D61A5BA1E64A0BDB3F47336CA07,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:34.506{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-18415-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:33.426{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-15339-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001387083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:39.859{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B16219A6D6A4EEC83ABC54C2B9E397,SHA256=ECC2A7BEE925C63E15BDFD1739C6F8A632C0C9650B19B607E33EC6AE49D6A442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:39.546{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF910A4AD4484842582333C4FDFF984,SHA256=7648672CFC46F6F6951C26928FA31EAA4AF383C16DF84B1A03D756ACA9EAB5AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:39.041{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3460298D4029EA2BDC51CC77188B062,SHA256=074144C74BDA8618D566CAD7E87E98E07F911C2B452357F2CA3BB35873AACFC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:39.468{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47E4043352BB4FD77777408E1F5580D7,SHA256=D91CADE9EAD72B39AD7E4A550E571032DABDC751606848A7A1C5071F4DA2F684,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:35.599{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-21584-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001387087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:40.878{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD9E1468FF59627135359CA7A01A1E0A,SHA256=C25C6DA8DCAEF9577EE0E153D59A60B19FF82306A4A864736C9D26E762D73EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:40.562{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E73CB96969DC8C7B0A26ED4281EC87,SHA256=39257CD4DCEE9C05C4B1C5733C2FFA7D564D28E6FE70B242450DA9B402083286,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:40.090{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-40241-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:38.978{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-34243-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:40.158{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDA21D716ADC820EFDE03BE2D4FB8E7F,SHA256=2D34728F402779B9B30D644EAA37F719AB63EE9173C954599D1A19DD7990C5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:40.531{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC924B9315A634DED40050ED0AC66B7B,SHA256=E488BCDA09069B8891368A8F9B3C4EF0E247861FEDC116626AA32820315E1F86,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:36.729{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-24806-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001387097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:41.893{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46857344DCB606DC9DA499EA4743B38D,SHA256=1278AB0C1C7E1FACA641B9B09A3B7019234332D3F521E91318E71DD2EBC89143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:41.624{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDA4C5428D8B0C3510BC3A654FBEEB81,SHA256=554F5C72BB34C40D64D25B9810BDD180BBFE0E12576633B5360018CCFA8B52F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:41.577{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA3687340A0D6D78B6768137CD37CD16,SHA256=886150A07C77F76EA39BA1689122B47AC6AF0105691E8B01DEEE9C80E9399A32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:41.840{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=F91717EFBE37396DCD72C038819C9B44,SHA256=5D2F5200B6ACCA7BB845311A093BB6E1A5F7301BBBBE5758FF3F1E3D3DD37AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:41.840{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6798CA6DADF4AA07765E54A5DA3F9D17,SHA256=C44598DA900ABF9714997D54AF5F06745C900913E7CA624D83A3BE8B72B77DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:41.840{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=0B4DC1E6AA4F80B15620C2E3384DDE13,SHA256=CC6E52C7B3E5A2DE2DE922C98AA9E64F3B89DA801AEB4E484A52BFE933F4778B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:41.840{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=FF4344864F5C3A7AFD6114642EE0CDF8,SHA256=B047BC4DED44157B4FAF5A60972CC56BF1EAF8E12F1F3C66887EB893D1321451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:41.840{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=FF5D924D0973AB3E5AC6200878C05F26,SHA256=B79CB46964DCEF834556606FAC6C06DCE5E13FF2844A7B576F2A826F869F7F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:41.840{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=5DAF530C762161D432C3BF959FEDACEF,SHA256=22A48F7CBDDC3F87DB45042AB1BD93D2396F3CE6C755D69E3A9564ECF7EA9F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:41.840{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=08B107CDF17206044CFCCF45141A7240,SHA256=239A8360014B88B64FFD40931A8C947089F370319231DFB7D3D4513EB4876CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:41.409{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F16AA83179F66C10FAACB6CC43F03ECC,SHA256=4366C4B238C5E16A3B8854DA000F5EC0E2AC7A491154BA9873677CEC739C3B2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:40.255{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001293957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:37.840{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27932-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:37.476{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61801-false10.0.1.12-8000- 23542300x80000000000000001387100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:42.908{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733ED3E1C47F7FA994A1937968C69C78,SHA256=8CC65D74CB733994B06BB58DB194D3CDB4A92610BA1778015E3F1680960921E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:42.702{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1BA722F0A64BB5F392719A1B59ACE95,SHA256=FA0D431D38341AD6EFE4025EB9FD785F6B96A3F3245DFBAE4D1928BF9F05B6BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:42.593{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=848EAB40B570D430231976EC6B90D732,SHA256=496DDF7FF450B6E1A5C9CEE2871868F255BED5E569F0648E8C2B0F2E548864B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:42.540{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9728F51B28B6F8C46E653319902F0FD,SHA256=C4BE1D87F7B6645E26E867BD0BF6EC97CD6AF5D8F3DA19BA63BAB69478C26945,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:41.191{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-45944-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001293960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:38.918{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-31026-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001387105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:43.923{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2924C3F74FED0AFDDB15D4A75A619792,SHA256=02E6AD6117AE71EEFEB14A5A903FC43583844E53E17F0A2C75CD9238FC8A0AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:43.765{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA13B0E2FD7200E91200073E09416C1E,SHA256=0FBF0417CDD2A39DD08A97E41AB750FBE2110B61DF531EE1937175C910CA74D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:43.609{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E660961AD8710D653599038663BB91A9,SHA256=D5A924868E6DF742C62A6DD4981EBE64E9E197AC4A4CE819E04110E58A4BA0E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:43.676{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93F08C4C7572925091F671FB445B487F,SHA256=A9F18D461ED9AAC33621C8ADEB0C463D6751736F64E58A328E9F8E01C8999DC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:43.139{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59105-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001387102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:43.139{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59105-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001387101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:42.443{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-52603-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:44.938{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9245CBC0AC75297C236AD8EFDD1EA1,SHA256=1B79A7C3DE196C84DEACCFFD9DF1C5A7063334F4A2073448894F6803BD017EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:44.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F455C800639E64FAE9E60134A1BF8500,SHA256=F9F9CDF7EB58A4E84A0EE9CB32636648CFA9342A7939D32D50B7750C06A6A419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:44.624{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B26582C6B2D568013E6C00DC96ED31,SHA256=5FF0D06B5F383258EA9D1F618B36D6A192444D8FA798EEEC235D003F3DC96F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:44.807{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F6B3B329008E6DFDB77CFF4E6B90DE0,SHA256=6315ABC0B6349D312E99D4BE53F46C0B25EE1118002B2F5825308963C5FDC13F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:43.572{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-58845-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001293967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:44.390{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3816C2B4DF5C01C8E7675586B769E69F,SHA256=76468D7FE67EBFD5772960C7F140052397D77DF6E52B02AB66DBDBE0504B5372,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:41.073{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-36916-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:39.996{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-33993-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001387111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:45.991{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B2FBE2E19F5C21C6EA9F79B52F8933,SHA256=7AF86E3AFE6D49504E14049E25EA16ECFDB6055A3320ED92B07DE1A0A5BDFC11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:45.984{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69CF54D6F4BFA08785AFCB52E3E4CC55,SHA256=78A3AA06B71AD67A1C1210995600DB03920187E5A84DB8235921520A4CED66CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:45.640{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378A9ABC86146987D63A0E208DE10D67,SHA256=E94E65581E16542C78A2F891C28C80F9973EFB00F0706091C1CA1E0E4BB7D65D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:45.891{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BD3D8C4637FE184F71D5C2D8B56CBEC,SHA256=97D9E83B66ADEBB4EE37EFBC8401873ED89381FEF90AC6E44B336BCEDD1A282D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:44.713{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-5893-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001293970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:42.152{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39815-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:46.655{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DFF208586B67441F9628E90ADEAEBE,SHA256=C053658A80B0D79FEE9E8E34655FC38A26FA2F7EBCAFE89CDB223918030F331C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:43.245{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-42642-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001293979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:47.671{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E5A30D7D2E1ADB35CEBF89C96778C9,SHA256=D7B7AD52FCE48DB2D7182A130E40E5194E62B003EAB8A7843097980E4D434592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:47.921{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:47.012{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17670-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:46.156{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001387114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:45.828{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-12010-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:47.155{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E43111ADD8590F07A53FDA3B9CEBB149,SHA256=27A62AE539E9626DAA339FB47C84D745313272F941570BF6CCA40B00A5070A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:47.006{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CFAC47C5619B5F7897E850CB7BC679A,SHA256=325EB3285C33AE2FD560A5642492157BB6FAFB191F842D319028E4A988B1A905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:47.374{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:44.371{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-45795-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001293976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:43.445{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61802-false10.0.1.12-8000- 23542300x80000000000000001293975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:47.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D35973ED39B10E74FD313A6D3EF4611,SHA256=7659F7884FDD637E5F00F4AF30AC4A9711797149AC7682ABF59862E3BCBDC65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:48.687{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C59C51B3378EAC9CEFBF07BA2B68E60,SHA256=8D2FD50403A778344014EC6AA5E4C84E43505B893BA588609E03F26692870415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:48.236{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70D1E6AD79A72220B9A8A576CB39A33D,SHA256=98B6F96F704F6A98D81E22D2C0CEA6112FD7AFDBD5760D004C0ADED8F93CE59C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:48.036{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628958BB25DDFCAEC2D040873557FF95,SHA256=CB0B8B532CDD5F94F29848D69C675F632F0A3F966C738097AD502AFF6AEAFB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:49.702{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B063D0B7628F0C81C0C8BF733840F3E,SHA256=7235303EBA70CB26A2D694A50DBE6193512421C3037A60646CE9B15A0B52A654,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:48.905{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001387122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:48.173{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-24232-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:49.354{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12491815754A6D74954C15759B180364,SHA256=EFDCEECA14E43711691DD19711CBF7A5840AC0CCB448F5862C945F14523C6E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:49.054{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C62FEB570C6770FEB05574E4D7715B,SHA256=CFD585AE08B33E4ECB4F94EF8ABB85D74DC51490F15516773F70EA5F250EDE91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:50.718{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561DCFA11A75E39AC8D5D0E4A304DC83,SHA256=D66CE5ED951F9C2E5E42F563271A25C553FB44EE1D80BA3920B2677A2076CF97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:45.711{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61803-false10.0.1.12-8089- 354300x80000000000000001387127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:50.371{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-35580-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:49.281{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-30274-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:50.434{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=755BC9B96485B0F62FA46BA18FDA8935,SHA256=808E86FFB724288D75661BF202D12C054467F991471B37E66229E154E249311C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:50.088{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B157599111A0AD8A754B778278019C2,SHA256=3418944C24D78369691B4FE3CCC946AFC012934FEB60D967F994794A64FC73DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:51.734{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27BFE0F9956ED84C6BD3880B3FFFCD93,SHA256=9B86C1A53300AA7A97E6E45E8D7494B0C0DF73AB6014D12995EB66ED150164C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:51.455{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-40816-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:51.517{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C930E6D4E1B06B074ECBB135600E99D1,SHA256=82D8775BCCF386540D3762EA2CF3182C4D6FD07D3C68EA463B98E2BA8F321F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:51.103{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D777948E069512181F514B94058FEDB1,SHA256=5AFD9403AEBFE1944325D1CACB7BDC6EFD6512D895218D31254FF3266200ECB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:52.749{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08400C7CD5DBD2909E657C4F57C7551,SHA256=B430D39B510F64292F75BF683E4E05A693FAA3B06E9711956382DBF6F2AEDE77,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:52.086{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001387132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:52.770{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C62E2C5685F821B4D65345C56FA808DD,SHA256=50331823D905DE5D5DD8493489EB9932337AC0FAB033B75B5F52EAD482633B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:52.117{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCDD135F65C871274BB5B6FA0DB65188,SHA256=5CAA648DA99256DE94C6198432ED291F24D6DDB2CE1B1B7364A2DAAF6D4AD517,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:48.585{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61804-false10.0.1.12-8000- 23542300x80000000000000001293987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:53.765{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7EDDEFE70AA10B8EFB3958672C60706,SHA256=4A06ECFD0F256BBDB18FD79A6E9EFB14766AD6D84CB1B9D13884E25D6935DFE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:53.850{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2F2AF227D6005308D9BAF6D27290A20,SHA256=8A358581A850A7070D5EA8E1692B925AF7553FD502CD0E002072BFA8A47E48C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:52.538{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-46250-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:53.132{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8313AA3BD36F29C016B16E65B0B6039,SHA256=F28D7F23F7A61C9A5CE6BAED67AE63F434F463E79C45B29B929C446EA205F033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:54.780{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8814B73082BB88010ADCABFB12D9EC7,SHA256=942571A61FB483EB3E7C1A6B2AAA89FADB04E0EFFAF5E8AC31386733486CE48D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:54.930{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7781F9FA36B9310FBA9FE8F9FD93EF3C,SHA256=440A2B7642EA2D19F9078983661054452551A98AA243FAAFE5C994271DEB29FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:53.791{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-52706-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:54.150{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72E6D837893BE0A48B0E2B6E85B9115,SHA256=BA07E67A5DC716E5333CBDB09DCF6182757820C9C92FCBED393CAA32104AB800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:55.796{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081A3D9BE5FECB610916170627F73080,SHA256=9A940F8805BAA4681CEC3148CB92086729EB5C21734304D690958861DD27366B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:55.167{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99745B7BABEA7B4107D8623615F492F,SHA256=2D604B4A3DBD20510C5FC119A6A3ACB770B093B33A01D43FDE449F548EB128A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:56.812{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFBC17B0BCE54035A67CBF12E89FDCE6,SHA256=F8A9B578E1DD4C6B709433013F96E73BE9BFAA19D8F211E0EDDC35443EA5DABF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:54.867{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-58509-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:56.182{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4AC76FAA576A0B896F8DBA271E6ABDB,SHA256=80445A6E433FA27783C6D7BD2C287A0DDE132F62CBB199E7DD1AC1C269665256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:56.128{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=202435125D279E4DC21262A4B921FE98,SHA256=752FCFBAF571869FBB6E75F71E02EA675AC5D835D31898640494BF40385551D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:57.827{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0518E890E4C31C054BF145115EA7349,SHA256=EE457655CA0D78CE4FDB6209EFDA07DB2AADE4D04EF77D9053977984B8FEC46A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001387150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:27:57.797{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001387149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:27:57.781{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001387148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:27:57.781{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 354300x80000000000000001387147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:57.149{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-11561-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:55.963{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-5377-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:57.213{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FFF5FC51DEE53832FA8771D301660E8,SHA256=D6099746010FE310902D602BD407CB657319FDB592284E7973A3068FE3BDE9DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:57.197{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB1FED8BAB361B6C9EF4624619BD34F,SHA256=E53B1A923553AA4D9E669CFC0B2CAC19DBB054A307C9E5099A3C2D2834217A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:58.831{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10EEEE99C7741E5400953F22CDE1292B,SHA256=A0D84F4C34E3D422FA220D8F497AADFDE0BDBCF4BB5F0072C5DFD9C3329A4C34,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:57.247{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59109-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001387152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:58.349{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=038D318B1937340DD1404D78F4E2ECB1,SHA256=653764E715C28D7EBB281EEB757DC64AD52AEA3F688143593AFC32501BFB9CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:58.212{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17F08BF3D0488DE0BC062F3B184B6B2,SHA256=AF1AF327B6D9DB7E0666AA969A47761E84453EEA1CBE4206F641D8D44148F36C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:54.460{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61805-false10.0.1.12-8000- 23542300x80000000000000001293994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:59.847{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E7976DB6372BE3169DAD56B23C259B,SHA256=05A6CCE209F4C4091BD6763CD0877B426360806B972601B02F32A779404549E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:58.805{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59112-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001387162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:58.805{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59112-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001387161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:58.799{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59111-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001387160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:58.799{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59111-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001387159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:58.782{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59110-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001387158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:58.782{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59110-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001387157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:58.734{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.24.1.102-59274-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:58.249{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-17370-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:59.465{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=673AC417B8C16F96E2686E0A75F42318,SHA256=AF1F81F83197907DF01219607DD155A87B67BFBDE2D1A7C23F1D7C5D7AF5325C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:59.228{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB9FD7A03F8FAF811B039BD26FD9344,SHA256=A355ECD883DDDEAAFACFD31A6A1E5B3F57F5736961E9DE9BF433190A8E6C937C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:00.862{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51F5B72B9E9C1BF67EC55A43B85AE74,SHA256=3F00797431D7D44F9AA786619168D52D35A0F7C5498B1F45655A3E6C6DE085B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:00.501{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-29131-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:27:59.379{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-23260-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001387168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:00.753{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:00.753{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:00.753{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001387165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:00.599{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2A5DC20D32D353F4A22D91F909762C7,SHA256=870D35D75D052B0DB55FA6121C52D78CE529B1D1F7BFD98C3E61CB6B994D7C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:00.231{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16176FA3BBF4CFF988D2B02074D3049E,SHA256=9F14D61A89981907AC750C5F4996E7F9147E21A3D60EB2C688E7148281C5E3DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:01.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F88A20F5CD64D6004A2C91646E3AA33,SHA256=0641702B13AE21E40BE6A32711FDF5BDE4E4CF46A008BBE97DB347F009F8152E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:01.636{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-34933-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:01.768{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=26DF251590BDC5E31F090799449A45D6,SHA256=7BA8ACB42EA5C6F30A2C453D6189B64057457D5AB2727927CEA40A3A9FDE7971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:01.768{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6295FAE70663E42143EEB0538BBF50B7,SHA256=08E8884261486F798CF30729FEB9EE69B40547C54979F1C3F358B3FD0E99AAA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:01.731{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D9201A9E692A56509CEA8D5D5ED86AF,SHA256=0B18A4ED8F0ECAEDB942FDABB6870261F150EB8508C72EA7A0198D6A5241C3D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:01.231{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8213C585C601196E4E24F2B1F5DB4E97,SHA256=FA9940AE6E6287D6CEA9EB20D6046BFA353C8611FD6212E2E1EB140F044EB564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:02.958{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0BCE40DED34DB6143C2FB029D2472D,SHA256=F56FE5679AF4CDBE829923ED36F87478A1EBD12C8A39A7CD9CB3AAB00A543316,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:01.759{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52657- 23542300x80000000000000001387177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:02.815{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=844769FC7DE8AEB040CC11D7296AF67B,SHA256=2F10684CADE63BCFDCF76457A7E9B11431E8B7263424E64E4A2F7EFE36E5D41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:02.250{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594DCFB50CA3BC04D2F8F967D810FE17,SHA256=F75F32C3404E1B1F2E0BC27BE8981B0A4A6E832639696564AED0688EEC2EECF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001293999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:03.989{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242480ABFB19586ED01D0BB88FB02B6E,SHA256=BE0CF6BB3EB87B38DCE3C37B75E8281F8B22806E3545042DF0C7CA78A2886F59,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001293998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:27:59.528{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61806-false10.0.1.12-8000- 23542300x80000000000000001387182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:03.929{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11135FF1B7CA2187C2E7F665C1F29315,SHA256=B1C149CFE91E53D45DBA7FE369FF4E8C9E88FB3B992707A24396660FD11204F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:02.752{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-40927-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:01.763{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local59113-false67.27.157.126-80http 23542300x80000000000000001387179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:03.268{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA1C7C5C6A0E486F8A9311F6F59066D,SHA256=DFE1ABF892BCF34CFFE3A222C2000AD15D61FF5A18FABE78A7C5C032AE160C60,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:03.849{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-46333-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:02.999{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59114-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001387183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:04.329{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0730797F30A9FABBAD4BC5D620C10B67,SHA256=1A5640DCB887EE0223E9A13AA048CFF655E0FBF9978AFC75BFD924F6180AB677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:05.208{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6AEA086AF1A105BCC9E06436B81F46,SHA256=9D9B8B7CAF8FC0872C791147827CE1BD847D82702EA3111A23FF491F41FDCFAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:04.950{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-52048-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:05.365{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF086F54401F758E44322C8002CC743,SHA256=C86CA43BDA030DEF540BAE35C6AF4BD997709CAE7D0839C0C76EB5B8D9FE524C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:05.081{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9B96E95D493DF5DFC60A6F59FC6E2B5,SHA256=97FCC715D23BF29B4F9CBF94CE3A55EE9FAD7517FFE77BE542FB025A221608F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:06.348{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B6C36F2CAADE364D3932DF6ED08240,SHA256=90AC2044692BFC4FA463CB92F4CC326F52935D95366915ABDE911FFF0DE9EBC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:06.396{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B2AB94C3FF7CAF1319C50F21EFFABFE,SHA256=8FD30F13F27172F084A0E445134E76B9049EAE7EFEE53781B1B93AFD4472D190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:06.165{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16280C5CB8FDE9F7AABC19ADFA10464B,SHA256=1AF7565A9082B910549D98E52F11A88774B799E1AF458EAF7CED9636C6E19E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:07.426{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD75C8759F60C786B65D8C88BBB1D22,SHA256=8D81E2A14C22FB99300E6A867E4ABFD3A086B9C00C10B7285FF919C0447F4FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:07.364{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CFC0C4F235E838F55BE65FEFFD1C039,SHA256=5FCC6CCD394733AF949E2DD306519666F3F163EDA813BE3FE19958C68559BEAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:07.244{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45C866768E45CC57CEFAB530CD2DF09F,SHA256=ABB75C12C717FEBF8D7FA53FE75CA0AFF06F65A1930114F92F4919BB4A4C592E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:08.478{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCB8080E80F0562AD78C0F6B368C80D,SHA256=BE4D82EC49779F9AB24B382FBCB661208EBE912CE7AE598B2593561F6D7B6B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:08.379{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87869B5DA2AE14061C6E060B83E95DC,SHA256=8A157ED9D752893AC315495D1FF247CA6249E2D737FB52D967EE9020FC6525EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:08.325{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D3DB6535FA5AE856C2A15B1B52D3786,SHA256=E9C1125E4FA17D554B0A6A3CF7292F4C1ADD8609FCDEE48936467DAF1ED059C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:06.102{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-58139-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:09.524{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BDD6A14F034BF2C6DA82840CE72859B,SHA256=7DF8812BC711F35A3ED7D7CFD32105C2BEA1EBAD005041E8260B5D35F6822267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:09.524{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31BEF1042F4D7358D44D72B8FA948E89,SHA256=59821B60DDF9D85B768CA430FC33AFDF47995ED381467D5946267CC35743E932,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:05.481{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61807-false10.0.1.12-8000- 23542300x80000000000000001294004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:09.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6C9663C082E8D7A8303CD6D79ACA26,SHA256=39550ECB25783264401F966283369500806C1F23D3C394905CF538E898B65B92,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:08.263{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-10512-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:08.226{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59115-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001387196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:07.185{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-4883-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001387220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.944{5EBD8912-E02A-6152-C328-00000000FD01}62246708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001387219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.922{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6377E71DD044AC9481617DE562AE7BF6,SHA256=8019A06D5C7C85BC7AA5309C27B09856BAFE6650F6F0C00431EB5385C427D9CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.791{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E02A-6152-C328-00000000FD01}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.791{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.791{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.791{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.791{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.791{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E02A-6152-C328-00000000FD01}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.791{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E02A-6152-C328-00000000FD01}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.792{5EBD8912-E02A-6152-C328-00000000FD01}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.607{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7490BEADD765975A0327DDEDFB2A6070,SHA256=DFF5CB946BE5A7ABF93B850D2BECF66C4DE5A3FE924926F394F3671DF2F39E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.560{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C25E921B2F55CE8B78BC5D07FD037A,SHA256=5EDBCF4953E7DA8DA21AB86F9FCEA8C44FCC1B41C188A2FDE6D6E6A65BDBB574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:10.411{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9529B163768975AF1CE665B58380CB,SHA256=042BF94A832FFEB6BACEB0CA2E20B5496EF2A653ED2DEABCD667C8764AC8B51F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.191{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E02A-6152-C228-00000000FD01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.191{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.191{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.191{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.191{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.191{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-E02A-6152-C228-00000000FD01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.191{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E02A-6152-C228-00000000FD01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.193{5EBD8912-E02A-6152-C228-00000000FD01}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:11.921{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=091ECDE4608CF9C7844EFBBD61FD153F,SHA256=72FDE04B2D6C589BDA2DF1D97550ED944FB1E0A86271730CF44DDE862403779F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:11.921{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6CEBD4D793D1A6CB5AA502F612EB1045,SHA256=20235B47382658B63F9D69BABC440C0C0F1EDA0A671341979EFFA92E54B38562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:11.921{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=3CA48376DA39ABE19E2A96E11E8C9974,SHA256=E882182773AA9FBF53A2A67728DDBFDCA61DB8E010D9A1DC8F643CEE3515C0E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:11.921{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=04D5696451E9F58D29D4761BBFA01F2E,SHA256=3BDCCCD0B74B98F99AFB434F3CEC837D3D48C831863B69758B1F2D85A20349B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:11.921{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=207315C630D178BCECB5768CB8E4C296,SHA256=B0BA8BB64B4F0DC068D047A4847EBBE192E1C1FCEFA6955F3236974287B40CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:11.921{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=3924A35F78ED97F863464D37E81F9071,SHA256=9E7C2E1545D4E4A3F540CFE19037ECCA94029B85EB8B0A97FD6EA5A9815580AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:11.921{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=DC0F81418991E7361A2E273BB5BE9023,SHA256=267A64C6BF94505F1E91B2E120579BBF981DA95A6BEB27C96C148865B4E9A5C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:11.690{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF0D093128BA66BDE1022E247DD56BA7,SHA256=9763680E3F357B27471C96A0CE5861CB5B3BC120897858691E12C94964C77BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:11.606{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225A4B19500FA0F9DEAE7F2274D2FD3F,SHA256=B2B83080A99CE0C08F9EC7BB40945DE636DE1605F3D853993F3BF14A0E08CF50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.676{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E71ECA2FC940E000467667CCBE222BD9,SHA256=D0B9053323825AD43B5040B386A9E0EA372856137B0A494036C7A8B4B7D8C740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.676{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAD926277B824EA5F8464F9D4E57AD5D,SHA256=54ED4F90B387A48AB23591AB98D01445AACFA2A35EB4BAE39B0114207CA9C953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.598{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4864541A6A6F41FC47ED789448D19F,SHA256=979EE8F97BB7376EC5774AE282F48A0B2E042E65AEC888F5CE46D5CE1BA1FB80,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:10.545{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-22355-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:09.409{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-16129-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001294020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.583{69CF5F33-E02B-6152-B1A1-00000000FD01}10083120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.411{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E02B-6152-B1A1-00000000FD01}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.411{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.411{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.411{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.411{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.411{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.411{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.411{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.411{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.411{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.395{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-E02B-6152-B1A1-00000000FD01}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.395{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E02B-6152-B1A1-00000000FD01}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.396{69CF5F33-E02B-6152-B1A1-00000000FD01}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001294055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.786{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E02C-6152-B3A1-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.786{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.786{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.786{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.786{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.786{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.786{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.786{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.786{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-E02C-6152-B3A1-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.786{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.786{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.786{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E02C-6152-B3A1-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.771{69CF5F33-E02C-6152-B3A1-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.754{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E71ECA2FC940E000467667CCBE222BD9,SHA256=D0B9053323825AD43B5040B386A9E0EA372856137B0A494036C7A8B4B7D8C740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.676{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533C2FE62663FB6F2A7CEC7A0E01EFE5,SHA256=9B4EE28481A25FE21A305E680AB69D07D6235FC84F26AACFBEC6ADBF03859313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:12.773{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4EEDA6EE55DD77DAEBA3B7D1BC3C38A,SHA256=0A8FCC313E048F23D443808902C8641AA69E062A6EEB6186B590289FD83F2892,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:12.720{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E02C-6152-C428-00000000FD01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:12.720{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:12.720{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:12.720{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:12.720{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:12.720{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E02C-6152-C428-00000000FD01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:12.720{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E02C-6152-C428-00000000FD01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:12.721{5EBD8912-E02C-6152-C428-00000000FD01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:12.641{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280EB9CBCF5625DF90AD521A7CB55B76,SHA256=95D5A0755E99CC8D48A2DA20E7A5B7FBCDA61D67801D5A5CE5D4958490FBE60A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:11.719{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261808-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001387232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:11.627{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-28166-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001294040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:09.024{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61808-false10.0.1.14-49672- 354300x80000000000000001294039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:08.969{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-56554-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:08.943{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-56363-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001294037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.411{69CF5F33-E02C-6152-B2A1-00000000FD01}26841080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.098{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E02C-6152-B2A1-00000000FD01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.098{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.098{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.098{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.098{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.098{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.098{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.098{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.098{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-E02C-6152-B2A1-00000000FD01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.098{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.098{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.098{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E02C-6152-B2A1-00000000FD01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.083{69CF5F33-E02C-6152-B2A1-00000000FD01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:13.878{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9381D5CABE2F3A5138D68FEF337D53B,SHA256=EC7C2D2E130934992303A70475516B5207D8EF46B00F3C3FBA94BC1AF475AF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:13.672{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26D3FE8B126A6317144493DBCA61B55,SHA256=D553DD7884B42D75BE321E925936212C2C304E484BB966BFCF88F62E20FDBD41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:13.786{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA15C544AD73ACACEBFB7C2EF456208C,SHA256=8C6F90977E34A073470BA90139E4CCE4F2DE53651899CC16E7B9352252D74FED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:13.723{69CF5F33-E02D-6152-B4A1-00000000FD01}35682412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001294069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:10.048{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-5130-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001294068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:13.473{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E02D-6152-B4A1-00000000FD01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:13.473{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:13.473{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:13.473{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:13.473{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:13.473{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:13.473{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:13.473{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:13.473{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:13.473{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:13.473{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-E02D-6152-B4A1-00000000FD01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:13.473{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E02D-6152-B4A1-00000000FD01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:13.458{69CF5F33-E02D-6152-B4A1-00000000FD01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001387253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:13.641{5EBD8912-E02D-6152-C528-00000000FD01}40086620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:13.420{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E02D-6152-C528-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:13.404{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:13.404{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:13.404{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:13.404{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:13.404{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E02D-6152-C528-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:13.404{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E02D-6152-C528-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:13.405{5EBD8912-E02D-6152-C528-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001387244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:12.711{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-33877-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:14.959{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDF7AC9B2E5769CC5F0605DECE811587,SHA256=6CC4E22C35EEFA1D50B5E9C4B919468681963FD4AC66440EA2C97262D4426E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:14.680{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFF9F0694C506FC5447D1BB10A47D57,SHA256=11B1ABB5BEB85F335B2E09F407BC222616CA1E9AC43AB6A43A7237728CB166DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.973{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CFBC8BF0CB91B6119F026E732B700C1,SHA256=7E1AF8FDEE37A1DEBFC8D323D0DB34BF4A08721E194311B8898BF85DFC759185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.833{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E02E-6152-B6A1-00000000FD01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.833{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.833{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.833{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.833{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.833{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.833{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.833{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.833{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.833{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.833{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-E02E-6152-B6A1-00000000FD01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.833{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E02E-6152-B6A1-00000000FD01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.818{69CF5F33-E02E-6152-B6A1-00000000FD01}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001294087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.481{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61809-false10.0.1.12-8000- 354300x80000000000000001294086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:11.129{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-12208-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001294085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.145{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E02E-6152-B5A1-00000000FD01}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.145{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.145{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.145{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.145{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.145{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.145{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.145{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.145{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.145{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.145{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-E02E-6152-B5A1-00000000FD01}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.145{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E02E-6152-B5A1-00000000FD01}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.132{69CF5F33-E02E-6152-B5A1-00000000FD01}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.129{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC3F061FF0D92323B497AEFDEC3BD07,SHA256=25A5222F90C014DA9EC0A833736936DA59974E450277FC39D3CA274E38B00250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:15.697{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8797545DEC805A8E7539FBDB870857EE,SHA256=1232A29A24E7F74AEAD8F7118E7FE58E6546370BF775F473EF9322E76201166D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:12.250{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-19907-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:15.317{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC76350693EE8C450E82BFCFB0F067CF,SHA256=6CC556BC10F7A7E297E1EF7AD0A5BA1AA23818D958C23EADEE40FF2350A754D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:14.897{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-45164-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:14.189{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59116-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001387258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:13.795{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-39445-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001294102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:15.020{69CF5F33-E02E-6152-B6A1-00000000FD01}30681804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.781{5EBD8912-E030-6152-C628-00000000FD01}57482052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001387282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.722{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7921379CA276D5B81DD7BBEC698A7D0A,SHA256=810CF57FB56E9844871BB0F208495E2C16469FEA867D9C6BB20CD99134A8378C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:13.374{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-28121-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:16.411{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF9C651286DB0EC584F620D3E98463EC,SHA256=EE2C7809945408391E83B1FEF768EFAE4707269FDB71866E731D70885FB76435,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.643{5EBD8912-8D2A-6151-9600-00000000FD01}46324848C:\Windows\Explorer.EXE{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8023FC5D8A8)|UNKNOWN(FFFF81461C6A5B48)|UNKNOWN(FFFF81461C6A5CC7)|UNKNOWN(FFFF81461C6A0351)|UNKNOWN(FFFF81461C6A1D1A)|UNKNOWN(FFFF81461C69FFD6)|UNKNOWN(FFFFF8023F975103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001387280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.643{5EBD8912-8D2A-6151-9600-00000000FD01}46324848C:\Windows\Explorer.EXE{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8023FC5D8A8)|UNKNOWN(FFFF81461C6A5B48)|UNKNOWN(FFFF81461C6A5CC7)|UNKNOWN(FFFF81461C6A0351)|UNKNOWN(FFFF81461C6A1D1A)|UNKNOWN(FFFF81461C69FFD6)|UNKNOWN(FFFFF8023F975103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001387279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.643{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF52e7f7f.TMPMD5=B75F25CB252B727E2DCC540CAC552E56,SHA256=96C19E5EE1729DB76022409784B322D8E42CBF29BE3FA29E7901432732AC8434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.627{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\jumpListCache\ZobKhoc6TVwLUcR0bO2GfQ==.icoMD5=4AC3382AB071FA9F3654881A1C9A85E5,SHA256=174DA8BA5B17A05281266FE6916FE46DA43C43655A4D792FB32E36A2DCC17508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.612{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\jumpListCache\YcbJu9tcpgMRKYto5YY24w==.icoMD5=C93D58D968FA18806FCC982AA6DB241B,SHA256=2391727AADD5EA75A529AE41B7BFAF5D411D2D7F2AC0E43B1631E23D76C64D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.612{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\jumpListCache\Ebx77i167FE3VXD9AIBW0Q==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.612{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\jumpListCache\8dK31EFjY1UC_6ABFtFSmg==.icoMD5=7E0D2306F2EFCA6D5665CFA6F0078BD4,SHA256=6E22C57960D688A0E7459902F3DFE7D965356F26A54C8B940E7060FFBC028AEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.612{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\jumpListCache\5p13c0BilbGAotcKN8jIkA==.icoMD5=4AC3382AB071FA9F3654881A1C9A85E5,SHA256=174DA8BA5B17A05281266FE6916FE46DA43C43655A4D792FB32E36A2DCC17508,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.612{5EBD8912-CDB7-6152-8426-00000000FD01}41725548C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-CDB8-6152-8526-00000000FD01}656C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+be39b5|C:\Program Files\Mozilla Firefox\xul.dll+be9f5b 10341000x80000000000000001387272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.543{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E030-6152-C628-00000000FD01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.543{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.543{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.543{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.543{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.543{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-E030-6152-C628-00000000FD01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.543{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E030-6152-C628-00000000FD01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.544{5EBD8912-E030-6152-C628-00000000FD01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001387264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:15.160{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-41936-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:15.122{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-41810-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.028{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93040E8CAD9D4D38340AEFFB32BF36C1,SHA256=677707A18E1E5F0CA643E31B6B720591107AEBFABA5995260D27E7B9F9BF641D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:16.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D722CAA106BF05780C4F91309F9E2FDF,SHA256=3031C57C2FF1CAEBFE0217E8AA24A972B1D9A3DB61B4CDCEDC47E35726B44ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:17.742{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97C9501E26A3BB43F2384E2A0137777,SHA256=68F6A40AC6E6505DBB91E34D63E302A522F0257A9CB5E0D7EAE2C145E71585F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:14.487{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-35931-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:17.629{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85843523CD8A011991727E404ADF667F,SHA256=197E70E8F73DD2E8EF4AE907FC3BB65C5B77767DE66828AAF79E9C594CA0E78D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:17.243{5EBD8912-E031-6152-C728-00000000FD01}34804168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001387293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:17.174{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40D1449D610B9BA6B7303094A879D21D,SHA256=53B822B7216CAB3CDEA706F01C152106C3C7A0D60596705AA2F9BACA183CD416,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:15.981{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-50860-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001387291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:17.043{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E031-6152-C728-00000000FD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:17.043{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:17.043{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:17.043{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:17.043{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:17.043{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-E031-6152-C728-00000000FD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:17.043{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E031-6152-C728-00000000FD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:17.044{5EBD8912-E031-6152-C728-00000000FD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:17.348{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BE3382AF55935CBFCC0761295A66966,SHA256=2A8A900D01830CD8D8CFBAB0F7C93342D2DA259904EEDC9C3DA602BF124BFAB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:15.736{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-44568-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:18.680{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22DD76AE3C4D7A2E343A1E7B5C3C51C,SHA256=BC391ACF9B7263581EB4D8B80B84BF9D203DF8D07980627007B9DC082EADBE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:18.773{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C96EC4E376F9058B04BD815C8DA29F1,SHA256=41C86263C69366AD36DD5E390A875A068636C69111FE621304F311874466D7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:18.257{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CB57BE78659DB0D059A8C30CB5C82EF,SHA256=0D522BB6173EEADDACF018C9C054ACA3DEAFD30F0C026C4CBD03EFA7EC41A85F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:17.401{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-54565-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:17.081{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-56542-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:16.280{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-48253-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:18.492{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7A2836BAFE33EC4FA03635CC44F7347,SHA256=50E6D0FA02572FE02773765AFD03E8200B9C17F6899F80CA4443AFDE2F6E3BE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:16.865{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-51809-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:19.789{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A26AD376567F725E127395E209CE91A,SHA256=B47DB67659660C697868B30B0EF73F4C6A7011D1E4445EE12F6ED339BA6633FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:19.925{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E033-6152-C828-00000000FD01}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:19.925{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:19.925{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:19.925{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:19.925{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:19.925{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-E033-6152-C828-00000000FD01}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:19.925{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E033-6152-C828-00000000FD01}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:19.926{5EBD8912-E033-6152-C828-00000000FD01}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:19.792{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1ED5E88037EF981C2765C11D6F2EDF,SHA256=328FF4BB4E0AEFF110BC4200D6823D6F25347A49DE5A1DDA7E4F4916651BD968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:19.570{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23207988F539BD7A795FB50175FB195A,SHA256=0394EE3839A63287A3B6CF8440391381D5EE5576ECCAA73DFEF29358F1F63133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:19.479{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5728MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:19.357{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94AA0324DDE1FE26D034139A00045C59,SHA256=A4577D27F9D486CD8DCF9FE97659F5FDCCFA8C8B4A33BA49A71BBB828F41EED6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:18.495{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-2132-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:18.211{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse116.203.147.165static.165.147.203.116.clients.your-server.de61323-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:18.196{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-3556-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:20.866{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEEDAA72E77309D6D670F14F8C0F90BB,SHA256=379EEDC752A8492E91772C0581602F24BAEE03AFC624C2B8A0B07B39552145E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:20.798{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3862C3359331DAD22DFAB23C6671C60,SHA256=279E1D01AC6ECF583DABC2A64A95F4D334F0B68E1A277B2B4BD19A1A4855BD67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:20.709{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD53A58CD2E7068A2ED5BE13B7A4D5A3,SHA256=44FBA1C6A4327B96731645ABB7D1ECB9EF71851C5E9D6F5D82C257AEF313EECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:20.493{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5729MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:20.434{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3B324851D08105F685620613AC55DD5,SHA256=2426AE1DD117E4F2C9019B122F1A0A1106842AC137AEAEAE88A29A463A59ACAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:19.579{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8363-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:19.278{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-9207-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:19.227{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59117-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001294124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:17.956{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-59537-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:17.438{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61810-false10.0.1.12-8000- 23542300x80000000000000001294122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:21.868{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04BA8C2F4FD56763DA2D56493AACCCD7,SHA256=372180BCE168B55251F8941732B9CEF6E65248505BF14E2F80D70A5816894DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:21.851{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB586D2764665C6A07BC9805E08630E,SHA256=F353929B0757DE1F56617C813F8FE02BB847A85A433941C01738B1526FA4C0DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:21.790{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=729B902AC6D6508539B484198CB1611D,SHA256=0353C7B296484F84E62792798D6E3556BAACB1788A73E079F86D180AA1B1A69A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:21.566{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08D96A09D847417C43DF1C644510FB30,SHA256=52B256314614CCF487B9C4B199F54084199B0DA569DBE85A21FE4C9153FA2507,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:20.730{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14826-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:20.378{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-14957-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:22.866{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2907241029E53670FA61CE3A53A3C858,SHA256=72CBB662BD86F8585C57966C8F53FF548342B55966CD8868A48C9B27859B1992,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:19.083{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-7980-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:22.884{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D69C119ABA72A1D86CDA932DD75764,SHA256=66E5FEFD6A1B93E094D9BF4014340E9C91DF7883DB621539D332876D0038399F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:22.228{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E036-6152-B7A1-00000000FD01}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:22.212{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:22.212{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:22.212{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:22.212{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:22.212{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:22.212{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:22.212{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:22.212{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:22.212{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:22.212{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-E036-6152-B7A1-00000000FD01}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:22.212{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E036-6152-B7A1-00000000FD01}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:22.198{69CF5F33-E036-6152-B7A1-00000000FD01}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:22.689{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76DEE9A8DBF8BCCCEBD538DEAC267B56,SHA256=77CEBA30D4C4CAEE0DF3D76483D046299E9491268A3A495EF3F506B8CDB7168F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:22.653{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1411MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:21.499{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-20445-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:23.881{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150F0819F9B97FD8584D6828DD26AA70,SHA256=88BE72235891A387C763A91B8788E6D47471BD067C0E3888EB787311B603669C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:23.900{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F82E184BE989FF533E3B46F434A9B3B,SHA256=D10F3D411DE370D944307EFA52C443602DB57CD2FA929D3A8FA038F1212736B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:23.766{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46FAB18E1FAA642876F6DFBED09167B0,SHA256=34A5F5886391018FE271F22DA787A6AAE8E306843EDF1042B083E5733DB583D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:23.667{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1412MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:22.935{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27792-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:22.602{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-26465-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:21.819{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-21140-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:23.134{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E89017A0A03EA535E4F048D48E70DE00,SHA256=BFECF03709337331C41B11AFD2750F0774AF1D8BB852C6F55D0CB323463563F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:24.915{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3F0306D0B7F017807341A50CD91ACD,SHA256=C63368DD3A79AB8BB03D115FA70D927367F01A033BD4F479FCD9335DA58C9C21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:24.930{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A973FD0945B873F8391301A6E6495A,SHA256=470BB48F464BCCC51F4888848F1E94C4AA7E10800DF9CDB27CA7DD019FAA620E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:24.849{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B12977B4CF97C9A81C58C2FB1F5CE731,SHA256=276A8CA8642BF29E89CDA97546E36A40CFCEF95549CAF5DE7FC4A7125675394E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:23.710{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-32457-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:24.259{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=271BE0636EC2BA9DED9FF8AFD139A65C,SHA256=36D4E38FCA9CB51B2A093E5A9A9F21A9687D3F1B30FCBC55285F0C12FEE09F6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:20.214{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-15844-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001387340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:25.932{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33EB633A34414C89ED5067990767DDE,SHA256=142CAE8D887FCE63DF437EF40F2D9D943A7D0E1ECBCEFA9E788543BABE4275E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:25.915{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82A30DBD3AD413DF3F77A8C52E6C86A,SHA256=E8912924B9A12A777FED9B800F9961A06C55269D71CCC446916A98E08162BA98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:25.509{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2FF4C9D23868566B54E14F86E45D488,SHA256=648133CEE0B4A7D4A7E2AA5D97869A8587247B636630F7773B81D65BB4FFCDC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:21.520{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-25073-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001387339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:25.150{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59118-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001387338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:25.103{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-40383-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:24.787{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-38161-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:24.018{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-33882-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:26.963{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC1EF28DCBFFA9A20017AAB13A23E4B,SHA256=74BB651E4B1E5B5AB258C2F767A831EC16A9E470EDD24E7501FC9D9B44A2A74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:26.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88C28B8E0B0A730928F74A95B2309D01,SHA256=2D4E2B259484E93C35F7AD88B2C13344C6F78D6A06078AF2CDF79A8604871A4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:26.190{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-46455-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:25.967{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-43975-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:26.099{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E29C2EFC41B408204B664EDD263DBDCF,SHA256=651983D1A1C196B4B7C88A14C17D717473CA699BBE0526157CEAADC7DA5DA752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:26.603{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6C4780C3E906EC983648374DD688D1F,SHA256=4665B1AF9DDB1B2709789488D6DC696031C8907D469928DA2F0F098ED2EEA316,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:22.696{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-33304-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:22.548{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61811-false10.0.1.12-8000- 23542300x80000000000000001294154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:27.931{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6005281B7DC530172CE91071F5767F,SHA256=2C6EA9DA4C2A9D59FB4E319C6AE4375B0DB1B9C1D534E56E8FF2199B44008793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:27.993{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465B2AAC67448EF4EBD836E1E5FDAB36,SHA256=FD37561D6E01D0B251A6D8762117BFBAB20CF461A554214EC54B1B8A63FD809C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:27.283{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-52687-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:27.148{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-50153-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:27.209{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF2DA5EF50DBD7C54B4A1A24A2CDFFC0,SHA256=F919E0E31D969C2E512F5CB3B5148214408A66416A9F2E09A680469AC4E894B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:27.681{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DDD15E9D842A2EA2C18C97FEF4BD431,SHA256=F80B2A986048666C9F4D5606FC65D009139D8F197EE299156AF7A5AD0F33CC93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:23.893{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-41548-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:28.931{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3146696DAA45D7C368F0420C3C15E05,SHA256=5491C931D3E8A157D8681DD0AC154820749CB80734B1A346CAD96B65D2034B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:28.759{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=446F14B61D8383CAA0CE4427ED8F09F0,SHA256=AE9E080DF3A09CE2D65A9909B51E85CA3A02E2EE6BCB313AFD6AD97A4E8EAF3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:24.975{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-49481-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001387349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:28.293{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3387D097A1CF30F79E46B14F7C42A564,SHA256=830C1995FDAEC1A4407DD9D317F068A0D0540EC766FE7141D16675C8C281F824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:29.946{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C391C922C725D7C5BF47FD9D646BA219,SHA256=2C7D248258EB82ABC6FE581FF4E14B8B0835A4CD717ED340711DA7D87206E3E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:28.231{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-55963-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:29.376{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70409A0170BE99477F494B47869D1943,SHA256=26A90E23143ED1915475AD5FCDBB1BFA881BA608B10D78780DCD0455091C4BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:29.008{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFFB6AB9D81F9E594D9B5891F6BA1C6,SHA256=8C2DC8A9DE666A32B4D2EBA88AEAC86E3927AAE20A66709567884D3F8346E9B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:29.868{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0832C3627F76C84262F07347F9683493,SHA256=C7D7DCFC9A08F8BA695DEFCAC407F4EB0556E5032C504AD92C65901B12A33B08,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:26.056{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-57080-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:30.962{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1210F2A378990D7C81BC5DA5D2F7DECD,SHA256=84EFB50627D9AFABDF8645B964AA18A309B07440E8AA227B6293F864691865B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:30.691{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6791029DD5CA51DB52405EA4E247BA40,SHA256=FEC42901AD98B97623A1BFC7DDFCC8E505702474AAC430DC88F042EDE059B1F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:30.421{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-8422-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:30.224{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59119-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001387356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:29.615{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-7180-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:29.314{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-2761-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:28.501{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-59616-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:30.025{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F932E8BAA2F60D28AD43F9FE86D448,SHA256=1EA91D70C3598C03E1B7B31270D62B593A82A4EAAF332E2063A800F29803FF82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:30.931{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=134C6619150B0636C575E8157107A948,SHA256=B0BB62538A157B2AA1FA682F841EFF6EC4FF2743B46BD241A2277B0C19239879,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:27.147{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-5580-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:31.962{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC50CBAD2546EF31C19A141942CC986,SHA256=747A414ABF697D67029B0C4275661F7447B131D1436BE5C7D6BC3BBB5ABA94BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:28.423{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61812-false10.0.1.12-8000- 354300x80000000000000001294164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:28.240{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-13403-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001387362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:31.874{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80A81E9EC2DAAF9DF6DEEB59290BAED6,SHA256=989183D85C2CD26B7A207B2201FAAE772C0E400FB7BE42D08DCED9462941ECB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:30.697{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13279-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:31.074{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBDD8EF94791430926D56107923AFC2,SHA256=DBCCE0D385E5973451834915CA9AA8C240F97045F9EDC69A9DBB04A0CC16F07D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:32.978{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7BF527908849FDC8DD779891AFE46D,SHA256=A4274BF4E99716B8FDDFAAB4140FC33D5C470A40F57C385A2AC7C93B1CE5D554,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:29.334{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-20781-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:32.056{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D2F91621CB0AFC1C4747F2BE92E1A16,SHA256=1C28CC2868D0116647DC093AFA00599EEE09BC0F65E45BD985BDB7680B45C30A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:32.957{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=558A8A9C4048A3E643C55732F6642389,SHA256=0DCA844E4F47E2352761FE755B69A2DC61926742BA8A80DFFB064B8CE38916CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:31.894{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-19911-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:31.726{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-15044-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:32.105{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18656656B1CC18AA0B505C7553CE932C,SHA256=7EC41B74733A21B06C2339E96332682DD8A02CEC236DAF673AA8ACC3F8A29475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:33.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD314090AF92F28D3F40F2BE3BBFFF4,SHA256=962DBF847F89F05D83050790A61604F04F7F71D13620A2D2C8909C9077D20B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:33.181{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52E59EAA81A0EE32762C42BECE5B8FFC,SHA256=B2C0A8F9C07A199E7A6D2DB5C2150332344D6F661D6664E1E47BEAA037FE472F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:32.895{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-21168-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:33.123{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92B38F1C6C33999F59C363A990D37DE,SHA256=C5A6D610F4381D29F473C128F4C639A8328F20D1275EFA6B3771C0DC715257E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:34.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D91C19B556989736FCBD4F00D82562E0,SHA256=BA083FCCF519DB9715D0BC63A478A0194E8C8C17F02A632D036DF6928D1999F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:34.078{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-32406-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:33.979{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-26828-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:32.995{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-26088-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:34.156{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6362750CC51E8E20398F32EFB9790A,SHA256=FE8515439D400DA1A422B0AC42454C81FC4D305301D46AB4260805E4187F9DB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:31.569{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-36245-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:30.437{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-28565-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:34.306{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=986D0BF1A00812E680A8C4F664FB3B91,SHA256=25AD1F794DDE3C37E32514AF2474EABD7EE3F0E6043CEBF070663C1E4AA13414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:34.040{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B601DAF41911EE7805C8CA2AF4F3E965,SHA256=A3C82835FA1568111AA191040A2955C66ACAE861A3DC0708F3B1424BD169F05C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:35.157{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE4F8A5B5B18AC88A1BBF29DC6B1ECCD,SHA256=51FF45A0145AE512EE47CDC97EAA4C3E516250F965A9187DFA1F48980C469F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:35.157{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F848157697973B949916906323D6BC,SHA256=1764456664056E519323B69F3033EFC78C9B3D342EB406D5685C6E290A499699,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:32.677{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-44159-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:35.384{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=180B74B221C07AD567F16E314F619EA9,SHA256=61DACBF384E7B9A513BD69DD78405BB51DD02E5957A3AD8BCE5C43C5BBD08CA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:33.595{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61813-false10.0.1.12-8000- 23542300x80000000000000001294179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:36.556{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85721FEBD39D6D0F3477CC8D1E78643F,SHA256=8EA814601063BF4ABDEED803B6337632CA770655BC58248616074B906746475D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:36.009{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C04308836C15A64AC2661C3BFB1F749,SHA256=05453F22481B1CB18659AFDE3B1521A385147992EEE5137D3B0494FFA980C367,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:36.253{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-45083-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:36.209{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-38465-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:36.089{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001387379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:35.161{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-38882-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:35.077{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.64-32480-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:36.304{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBD568F023D35859570DCEE9887705B3,SHA256=3A8EC070D09BA55F16CE2D8C5D0C1F56A9C08C91951AFCB8DEA3F3ECA0A7E236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:36.158{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742A53DDA1C8CF51BBC50526BC1CE2BC,SHA256=5936310324EEE7195BD5EF6506EA32DFEDE2991CB7053A342018200F66E10AF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:37.379{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-51450-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:37.475{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=982C49D7390C9263A338DFA1DD23020A,SHA256=8A95AA8B4ED2A648E9EC2614815CBD8B3D510A4C14F1E2C1FFEFB8D4741A8AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:37.175{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8AF32E4253B8184C09962235C3FB5E3,SHA256=90046133DC600C05D3EFB7D7DCCC1ABB7E5A5DE5C5472331C80BC3557D22B6BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:33.811{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-51923-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:37.712{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56E725E5BD7D36F66FA8A6BBB02A851E,SHA256=4A80C94F82AB175B3BA02C7C93EC8D5C44EF74B7F709943EB79A7AA198160D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:37.025{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B2D8D8CA2795549EFA2E168D8CBE26,SHA256=43FCD71FCFB94B264298D8B8F76EBAB5912ACA1F36EB9D6611B76F38FD98EE51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:38.559{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B1E642DBEB3A2A90C6A58B94AB3D4A3,SHA256=FAD73C75DA4BD5D6091FCD80B06EBCD2BBCEEE9DB0EB84330D43FB2D2DBD7A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:38.190{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CE06745CA2C41E9EEECE12E73B8920,SHA256=09299824842B80B9CFFB658CA76F757A2F9DC10E2922C181C8347CB3EB2D7E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:38.792{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=317AA3373085374E13B6F3B5F0755E0F,SHA256=D0B445928F0788F1C1780C0DD358843EFF3406F2F0083F49D5135C64C48A28AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:38.025{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908D5EA36E270C9BBD7A9871B992DA11,SHA256=DC9699A1100EA9FC434BAB7CA55A8148450E57E73F50E82D39B88C1B6C8FE678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:39.964{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71973A62770AE29076DD698A1069D66B,SHA256=7D0E4B5E022E38A515B7FCD053D325A307FCB6E5ADF3C5D43C814108FA870B04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:36.085{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-8384-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:34.988{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-59504-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:39.026{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B85FB78F0417EA94650779406864DB,SHA256=085C72F07BFFD7C80589F5AF6724D58784BA0234B2C3FF141E23EC3437B810FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:39.580{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-5120-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:38.497{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-57974-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:39.642{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D0A1AE10AA3F21602D8AC2FAFBC93C3,SHA256=739D363FE0651F40FE652F6047343915C0E26F09063981F1BBCC82C4D75F57BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:39.223{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB57D0999C515AA4BDFA3C080E41677,SHA256=94940060480A1BBEC5BEBD801A2C8414AFEE156E1D6AAB1C21DB0DFC4EFF917D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:37.232{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-16220-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:40.042{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C08B2E92CE6DD4831D9A54CEC77345,SHA256=E51E813C93B09B23756547FFEE6A5AB61C9FD1C9C16891E50DE715AD97647050,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.664{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11582-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.722{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33B8D450DFC88322E3D5097C0E870AE1,SHA256=2ABF1FF0548E380450FB32F75C57E90EDAAB0A243083C61C9D1D1DE1E261C816,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.721{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.721{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.721{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.721{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.721{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.721{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.721{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.721{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.721{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.720{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.720{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.720{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.720{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.720{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.720{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.720{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.720{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.720{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.720{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.720{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.720{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.720{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.719{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.719{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.719{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001387392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:40.241{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0358C18D01532DA2ACD22187D48954,SHA256=B9E0DEE7436712C025CC846D15DDE058CAB903EA615D7DBD26B89DE38EA530D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:41.871{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DA6CB2385A363EE03D8A3A3F392206C,SHA256=7E9DFF85D2F819781550866D192B2CAC1FF89C039156DED69E65DDC6634BEA17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:41.740{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=F3A11D7E8D6E0EDC442500DF68F363D3,SHA256=EF0B5871B4BB9EC255ADD9B157A8F3CDD4A1815BA665C43CD8FC02A18EE85CF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:41.740{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6DC8B42EA3BA07B85DB1DB6533DF66B1,SHA256=DA2AF757F6297B5CE5259A4ABFE6027B09C18B25FDF9207690E5AC38014A0F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:41.740{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=11FD5208BA38987C8E3884E7B07C6A74,SHA256=6795651F7E8AF5AC6EDF2C3148FA026FEB67878858BDA31DE2CDAC3103BE7D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:41.740{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=F9CD74F13CA54D56AFAD8197A7AB5B57,SHA256=280F7DF31BB134BF1B05AD31EF2982F6C3C5075C13EA43871B33AE1B0F8045AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:41.740{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=FF6553DBB9025E7FDF151B00B13C2A5B,SHA256=24EE621B360BA059F9A2A353CC5FA189DB8E480B9A2AAA1A432E41CC18A158E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:41.740{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=520B05345CD17859867958CDA744D945,SHA256=307B99A5E8D478B58EA107CDE42361BC603854A6515DB4863172A8F3D16E523D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:41.740{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=85B0DF8B6CA5FBE7082DB1B9B55BDE25,SHA256=B37FECB2C1D15D2ADABEB75AF8432DA201E9A5C5E3CE7FC32D64D3C1C2D079AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:41.456{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC9E52A9FB72F1725D197A76306AACD,SHA256=17665E92D0282C85AFE110C64E0B75A9146887CEAC9A1B5A58C9DDFC3AEC5200,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:38.354{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-24121-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:41.088{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2637B9EAF0E038CD3A7BD523475B8DBF,SHA256=787BC280F1CD761F7C176A763B68D7F162E08F82D8B0702CF70C4806CA290AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:41.057{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0887A64DECB74AB95C428C6DFE49CEB4,SHA256=CE99A38C43BA170C807183B2FAAAED11221757BCA37BE80723C1606D97C7C829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:42.954{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C452FF1D0BF824C787BCC07923C5F6F8,SHA256=0AB17AB99FB5A87AEF0754A1AFE30A63A59BB577DD5312A5F6F2E35EFA7CB990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:42.471{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EFFEB11756D94E7B99A2471A484FE5C,SHA256=375BD7A7303C214879CBA33D81B3DF7FD62119BE7FD462F5B147BFA0A14BFCA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:39.482{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-31649-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:39.363{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61814-false10.0.1.12-8000- 23542300x80000000000000001294196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:42.323{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF3A82287DAC3302BFF905174436E5C2,SHA256=C91084FDB09B51F8B9F6DE1E9771D147B54833D68F590D874BA1ACF9E24BF300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:42.104{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789EDA0382E604FFF27FC325F53BD5AE,SHA256=D9350E433E170425F57A709DB46070A8AC81AC4913DD0324224DEDBDCB106985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:43.485{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131B063E558A79DEB6ECC6227A802C92,SHA256=7DC7DEB39603E92EF2BD77BC6CEB1242D922CB639BFF5BA1E92038AA275FD3E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:40.706{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-40114-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:40.126{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse122.155.197.221-57477-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:43.448{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB231340FB3B370B173F74C661FFE826,SHA256=A76EAD637FF883EE85E792760E375B7D9BFE0193A9D69C3D7C6241A8AB46FFB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:43.151{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2E69D95E00BDA87ED9B0FD10D594EC,SHA256=2FC927486BBF68F7EE60387604F3F4075EA2977B7EADC03C065E96814BEBBD00,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:41.756{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-17743-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:44.526{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C20221CB6598E0C348F6202AFA4DF51,SHA256=329A0F9EA5AFE9AA839FC60DDDFBAF0C83C4AC58EA9A0D0C6533F5AE21D53047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:44.401{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D26A1164DD757C166E115BC2D9AD3207,SHA256=224266B2DB9AF49163E43F429A98770B0C558DDCF84DF2782A8E5322E30CB33F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:44.354{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9441BAE204E3A8639291660E877D3174,SHA256=217FF567046BE0FE4DD7AC9685F8F4E146791635E464D67C310D8FD9C4FC2E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:44.522{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCBB84AD18AFB80F9EFB5978188110A6,SHA256=09CA0C944CC5207E988A4AD719B90749F594BFB9E5D8BF18B8D86BE2EEA04558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:44.053{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20AD6A6034408B55FAB5FAAF4DCC6270,SHA256=5F5B8B9FBF17A6777379E96F452C56CE78DCCB5F3F82AEA853F62693DB3E6C36,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:43.235{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse122.155.197.221-57637-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:43.156{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59122-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001387435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:43.156{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59122-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001387434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:42.893{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24449-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:42.119{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59121-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001294208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:45.667{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADC3E2E0AB49D07A529ED4F440F5749D,SHA256=61973B1805B87C482BA9FF18287EC12F3EA611836E5F232CF5CBA6E8461480F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:45.354{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C52DC77BFEEBECAB57B0CC245D831D5,SHA256=256923C19DDFE4FA29A0059E001A9781CE3C12F4C96642ADCB8E9FD9123267BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:45.090{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-36978-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:43.992{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-30653-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:45.536{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6529D9B6EA1AF474FDF75C7461A8F0,SHA256=8AD7D162C01DCB080E8E996F45A94393385B63E0C5064B957452DA9EE7518FAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:41.819{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-48152-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001387440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:45.183{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E128BB7B4A8F774A37C73190A9ADB2E6,SHA256=5EA79CB90449C63A102008A7301585B24CD24BD4DB8ED6A47E8411345C59E287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:46.745{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F26E581F5B1B02D3B46502FC5B6E5963,SHA256=D8DD3BC2CEB00E7551096F2587023596A516A12D514F706448A83665ECCE5794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:46.526{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6723999978E53E6F5637C332B5CE84,SHA256=EE75C3C0041F44FF7E18C134F7DCDF545077768CA91EEFEEADBA436AF4060FB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:46.205{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-43464-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:46.552{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66EBD1FF10DBE1E4169F16ED25CA9516,SHA256=FB78448A82F307BF85C8EC76A8FAEE36E6C0E6081A037CE1419DE19218B29584,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:42.914{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-55992-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001387444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:46.267{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17FA29554E2B03D8D007C3DEF1EF36C1,SHA256=734936339625E88C72B87A74A72E1558125C503ABBB5B488148B3514EB18BBCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:47.294{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-49794-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:47.935{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:47.582{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C6796B446292994F14C4F9CBFD17C0,SHA256=049AB94B824D06773EFD24908A33683FB5A4B1B1B61EBE4EBD726926DA5982DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:47.963{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02E016C5FD7E8D5E3BB44F5985E00C35,SHA256=4BF9D88CF819474684A9EFF3D360FF08241DC7A031401DA25833FBEB45051331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:47.526{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5EC3911FE7D532FB7E7575C0EEE14C8,SHA256=F4347BFED08E49C88FE435857C8383ADD5D2221442CCB6452F322C83ABB50E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:47.401{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:47.351{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AB8D1B4CC1C29C5BE9E65A6CC81EEFA,SHA256=C00E396765B20CCD69B74F2B5D678EAF9AD84909785CDC54080961DC3DBF2F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:48.616{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2C6A16D81DEDBD2719A0FAD32680A2,SHA256=E0B27A431258514411BFC493F1A3C7E4D6E5FA03DBD76B7F32AD2BD7F81834D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:48.557{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC765E01204C501DED80150851A68A25,SHA256=068B3094FFA1447584BE86D144A484B16159300CA555B5BD0CA1E1787526DBE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:48.435{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F801E1E92DF82C1D463A5092C8A096EA,SHA256=0503E65FE1CE017268DF2A993D6644D8B4F7EB5260BDC6F697AED49D607528E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:45.118{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-13132-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:44.440{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61815-false10.0.1.12-8000- 354300x80000000000000001294215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:44.040{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-5165-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001387454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:49.681{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330779BD0BBE390A47C56420C2E1DB71,SHA256=D9F3BA297F296C47418F4A1C7B3EFF74E848AE8C0DDFF8A95735863D714A2AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:49.557{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A693418B862FAD016C58608FC331086E,SHA256=161FCE44C474B2A5CA229649521F326133F36B65E1B084FDB3919829F9F058DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:49.534{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC68CBF266DE5D120EAF612401B24032,SHA256=D6BC7381811C7844D30AD2CA48DB56AE70587277EEC055B20BE1595256884756,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:46.335{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-21287-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:45.737{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61816-false10.0.1.12-8089- 23542300x80000000000000001294219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:49.026{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAF0939CF83CD7F60A4A5494EAA1762C,SHA256=7709871BE4AD6F516739E7DC20A42471D3A47BF9FCF4AFB3D6E5A76BCF77D0CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:50.748{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BD3068D799492D8AFAD744474F8B97,SHA256=BE72A2C07A09FE58F6D26863A1901B63710D8EB4C0E6650F92452274399CB315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:50.573{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03E5D2C3A6977FD9A1FE8DF906BA7A2,SHA256=E80C4CAB647064784FD39BCC734DF41D231499DE968C184D1ED4093ED1AB3A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:50.664{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED4D30A1EF23F56A6C2665903E25C424,SHA256=790F6BFF53B13D136005C4244C7091235AD3CC62F36E48BC9ED0B80D2A01DB4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:48.936{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59124-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001387456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:48.373{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-55976-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:48.136{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001294223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:50.198{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DC26FF8848EA023D00BBFFAF3726CFA,SHA256=56DA08F32EF28EBFF04254624105324F2824895308ED4C11E66FAD49A1AB9540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:51.588{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D264222650F95213419CDAC2325754,SHA256=382A03357119591A87A0FBE00C1185BBE1CAFFD2568538699A167B4F40522545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:51.794{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15375E0CBD16166FD3495776A23FAD08,SHA256=61CCE9B3120BCA6612A72D17FC41D439ED5327A99A15B11BA63B763CDB2B96FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:51.778{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0221852E7807883E6C775B98FC264C23,SHA256=847FC1AE71C04CCBFA841A35C9085D6977C10390086BBC71DADCD7D24DE77C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:51.762{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=0C187D675895C2F1786947FA7A39FC58,SHA256=FEA32B6AC33456277758F0A32663D2A71A4DF41A83569AB5C4D1F5DAC7A05FF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:51.762{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=67CB67E9BF790E6EB71BB149CEA917DB,SHA256=4FAC9049FD62A681EFF1F7E60ACC18FC44EF1C68404D68576472A10844BDA0A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:51.762{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=28A6282F86FC5CEDABBE038546A14BF4,SHA256=D75BD011938D38850F892A216A15E8295EFE357B830B72E8AE05AD7A8DA7DB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:51.762{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=94CA5B6BABBD995D06ED6A8F552E624A,SHA256=FC5DC01A1D1AB14B334B3C7BAB04C064790B449F20B454F75132EEBBB482A874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:51.762{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=5DDB3AD834C1BAFD85E76133D0FFDCC2,SHA256=7E808843932A5F6C295406B754AD061E08F7E7DB62029222019D0482C2003233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:51.762{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=E02E016491E2A77FC203C4549DAA3B1D,SHA256=F8C226274E7B3B5DCBF9B5933094B81136936D3E19F9D5487E891F93DC2C5DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:51.762{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=CB8C4760E6B103B289493593ADDFBBD4,SHA256=18F16E916C34717A1E10CD97AC5E802E869F450E1D1206A121CBBBB0AD2B95F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:50.571{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-9480-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:49.470{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-3273-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:51.354{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C88FC073F47CF6E6BFAA2D669E09A0F3,SHA256=70251DE5A4BF88A78852E296F303CA3DE635520A5571464A7BF64100265A6216,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:47.445{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-28669-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:52.682{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4549FB8E18CD16D4ED6A333E6379AE,SHA256=FEC6EDD7A5E29CA22552547E483B2A5147419D60885C74E34748503C9EDDE6E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:52.946{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87AC18A216D305955722119C8E176962,SHA256=9A6BA7746B19CF774D07384D970BB123E4E710C200F1FADDCFEB59CFE16E5FB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:52.794{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D14FE59A68D10B1953D63B7331B098,SHA256=76CD7419286F1BE91BD9D13D181E2C4F08FE1BB3BAAF72F0562DF6DA53D22F2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:52.495{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E730AEF0584FF9A4E0F070492264214,SHA256=0C0B7EC26A16A74943031DC37C998875F744BC88FC5AC8B4B96E0FADE1754035,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:48.572{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-36015-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001387471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:51.699{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-15807-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:53.713{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C43DB832EC6F9A2492372CA54DF06715,SHA256=6CD0971C6E6E99FD71F30BB7EFB8CC64EB0C14CC84156CC4CA5D02F09B8AE486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:53.810{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22056A6E943459C4475C58F690423CD,SHA256=CC2508B28A8928CEA44F6AA39CCAE4C69DF946ED017342659CEB0096F353D456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:53.573{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C8C26F42DFE129A4D169C48D777E1C9,SHA256=109B5841E88AC60062A9F23EBEC29041A588C1E5F71BC7BF08EDF92A99A6A477,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:49.748{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-43984-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:49.503{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61817-false10.0.1.12-8000- 23542300x80000000000000001294237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:54.932{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F1C9C31CFB546861F2653D3C86D6CC,SHA256=FE1757B90C992E02128AACD5E146F28D4856D0F2DE6C5D4AEB5E63B70F600E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:54.844{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D649CE9AC4D7CB0B2EF07640CD613557,SHA256=22484B76E60372DF3D6A15F9D4AB217BC34E783DF1B9924D36AC93C92C012662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:54.698{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E9B20897F82ADEB5758163FE4955D2B,SHA256=CD4916D6129932D1FE44CD07243C9F286BC9789A879697AB64550CC7583494D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:50.866{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-51657-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001387477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:53.968{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-28516-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:52.815{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-22175-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:54.030{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19A2EF84F5677EEB408E535585ED60C6,SHA256=8601069DC768A83FE8DA87F3A71B4D5C439BE51BD829E35794CF9ACE0B497A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:55.859{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AADF0C2648C4433BB10FE9393651F717,SHA256=945619024ACD66C6EA469CC345E9CEC5B88FC57ED807009822907D09DBC79762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:55.838{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC71307C83530803EEA9C228557C56A5,SHA256=91489CE2CD23410333B21DAB36FB456F8CB61CCCD5BF47B750E52F428E70710C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:51.959{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-59608-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001387481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:54.609{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse116.203.54.13static.13.54.203.116.clients.your-server.de54353-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:54.094{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001387479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:55.128{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A28FF0E4D19E3E50BBA5E57E26C34096,SHA256=9CA8987CF6DA01FF7732A2748B79687D4A3F5164D5CFED67E9DD4B07929324AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:56.873{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8742FDE41FA1F86D55EFC97268126B7,SHA256=0E09A839EADC6D0B66187C86C9D08BC7D1EE3313D4C9FD5E6F0ACDD46942EE2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:56.979{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C098FF2087CB3A55EAFFC5870640427B,SHA256=4E9CD0B41F47785BC8062BB5F91195266BD04D2F7787540FFE4C758F3CD2FA33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:56.041{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DDDAF604FA4385655DD79CC7CCA1516,SHA256=2E36EC762BC62B473E5DC99CA4DFE77F85A1FFAA0FDF2F970C9125458FA68E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:56.274{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FE44EF1DBBFE962664F207295E36D88,SHA256=7C07B2E62253E2CE3EB3473AAA6EE2363CE17484B0B13C65FE2790E9C8637E9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:55.586{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-30422-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:55.054{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-34667-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.906{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6989EC11AC3E789790FC8697675CF33,SHA256=0E02558A4F11A7E1C1F30978FE903A136F312A687C12C3D5AAABB39DEF0B6E48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:54.249{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-16226-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:53.072{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-8546-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:57.073{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D3BD34680EA6A40C32A89F511A1B4A,SHA256=FD66F793CB12B27D81039D42377F906367E77D1C24807B38D4180F6D7DF0AC52,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:56.696{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-36537-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:56.166{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-41102-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:55.611{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-30579-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001294247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:54.597{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61818-false10.0.1.12-8000- 23542300x80000000000000001294246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:58.120{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=770AEDEF7477269A7DF7085FD574CE51,SHA256=2F786D15EF5C3CF7711638A4C49126A6819ED63D3278B472B6B8D2CDC35EB4BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.965{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-43601-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.957{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-51207-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.929{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-43460-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.922{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-50876-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.905{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-43329-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.882{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-43210-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.859{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-43022-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.824{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-42915-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.818{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-50403-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.802{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-42771-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.779{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-50272-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.779{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-42654-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.757{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-50143-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.733{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-50013-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.711{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-49900-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.687{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-49699-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.651{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-49539-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.627{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-49273-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.600{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-49117-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.571{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-49038-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.549{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-48857-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.514{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-48749-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.492{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-48587-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.469{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-48455-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.446{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-48333-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.424{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-48114-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.385{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-47917-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.348{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-47718-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.310{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-47543-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:58.104{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=444BA98F876D1412ECFF2BF1689A207B,SHA256=C76CEF18586DD4E8ABAB77ED0DE2559154FAA2C03442A982581FA85F0AE1E07F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:56.492{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-31761-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:55.363{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-23677-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:59.281{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB55FBDE88AB914A3B0D0F9A3DF5734,SHA256=2434824EE58EB0C5C89437F4AAD6566E9B83216BA2A365637609A9526C5043D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.256{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB277884A48773DA0787BC0A1DF0F47,SHA256=FAC1E6A45424D15A4F1DCBDDA1B7905DCC0E746F793EB260F78D352F078B3ACE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.863{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-48330-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.840{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-48224-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.818{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-48115-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.795{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-47960-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.771{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-47447-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.726{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-47242-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.697{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-47126-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.665{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-47034-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.624{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-46870-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.586{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-46754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.563{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-46667-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.541{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-46506-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.498{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-46341-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.460{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-46134-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.424{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-46027-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.401{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-45919-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.377{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-45740-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.347{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-53537-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.339{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-45635-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.320{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-53351-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.316{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-45529-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.294{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-45431-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.274{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-53191-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.270{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-45240-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.240{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-53065-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.232{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-45111-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.217{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-52953-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.210{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-45007-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.195{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-52822-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.187{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-44876-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.172{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-52656-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.164{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-44707-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.150{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-52412-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.129{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-44400-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.111{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-52237-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.089{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-52032-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.071{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-43806-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.051{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-51887-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.028{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-51634-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:57.992{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-51405-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:59.249{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5559D8D9ECC1A95F46E15CE441D31A96,SHA256=F7F5C42E086BB85AE15E1474C579F276DD15F94078306A1D5DB610A0E03D292C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:00.343{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07D07C0C171D7CCFFD3E471801383268,SHA256=A03FEDF25285577B3C4A7A9B855DD4573E2B491638E995906FEF485A5C43B5D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:00.296{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3389A14ECF7EE95E9777655BB77E494B,SHA256=17232B2B07D9C1B7B9F6DAA83457742A217719E342FBCC192F7839316FC6CB24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:00.386{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21B7EE010774552C1584C61189ADAD9,SHA256=FF28F866DA25980974F67651EFAAB96CC50F3C61D7BB1B8C9E1E0823CEC1ABE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.734{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-52707-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.496{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-51979-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.473{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-51854-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.451{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-51669-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.428{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-51511-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.406{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-51284-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.365{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-51155-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.343{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-50942-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.305{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-50804-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.282{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-50655-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.259{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-50423-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.223{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-50297-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.200{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-50064-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.163{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-49851-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.127{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59126-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001387569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.126{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-49675-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.090{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-49550-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.066{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-49357-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.028{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-49164-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.990{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-49046-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.968{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-48931-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.945{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-48796-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.922{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-48607-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:58.886{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-48459-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001294257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:58.716{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-47553-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:57.623{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-39618-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:01.421{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FEDA26FA480684E1F79FFD41D1E3CE7,SHA256=20F82FB4BB5A0B3EFE779BD417B09AF3EDBAFAF047DCAC6829E760A0F48AC61E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:01.296{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49154B989E495F2377ECE2AEA28003F,SHA256=8244191B7F3C38745DB0A3FBD92541D63CCB67B491033747D67401D84F7DA68B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.965{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-54299-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.942{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-54080-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.905{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-53873-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.869{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-53746-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.846{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-53542-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:28:59.809{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-53388-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:01.186{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EDD7EE2F1661165C290F92C405EF437,SHA256=3509E31E4AD3CC4147B4574FAB613588E5B3BF34EF96579048DB194C5B71BB0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:28:59.795{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-55091-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:02.499{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29522B3B8F179F52D95D7804CDAF834D,SHA256=FE3DFD6F19804E1B91BD10B60C2253B138459B3E28C9E5336B62EE0D3937EF85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:02.312{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB9452488CAE3DF651E8802BC4A97B4,SHA256=60A206AA46AD388B0B5B1522DB10FDA7804E0665B29A468194C244A6208CD6A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:02.205{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8B1565FAC0493F490D78CA8A76B982,SHA256=815C3DD41A270EC4686A0E7F6D0DABD3CF56FFB03C5EA9E06612B8CD0F3BEF73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:03.937{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBACC15D74556C3372080534208B75D5,SHA256=7B15E73A49623D887FE9FB9AEF9E93D13AC767C1BC479DAA0C114C377D12B8F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:00.917{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-3402-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:00.492{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61819-false10.0.1.12-8000- 23542300x80000000000000001294261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:03.327{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=989C8902C091912CD7547D6FC04F71C8,SHA256=D99B694BFA3F293D5E329F8C53F205C09D9C7C5DD1E912A7FDAFE26770CA5DB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:03.806{5EBD8912-D0BD-6152-ED26-00000000FD01}20847108C:\Windows\system32\conhost.exe{5EBD8912-E05F-6152-C928-00000000FD01}3180C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:03.806{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:03.806{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:03.806{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:03.806{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:03.806{5EBD8912-8D26-6151-8500-00000000FD01}27604704C:\Windows\system32\csrss.exe{5EBD8912-E05F-6152-C928-00000000FD01}3180C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:03.805{5EBD8912-D0BD-6152-EC26-00000000FD01}30126820C:\Windows\system32\cmd.exe{5EBD8912-E05F-6152-C928-00000000FD01}3180C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:03.804{5EBD8912-E05F-6152-C928-00000000FD01}3180C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add /?C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{5EBD8912-D0BD-6152-EC26-00000000FD01}3012C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x80000000000000001387594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:03.222{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779F7FD5DDAF3420468BC300B05A8262,SHA256=502E556F387FEE0AE51850D95B151939DEE54BCC172C5B0B4FAC4F19BB80A51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:04.343{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1167A15AD13A503E77104658B16A6DE5,SHA256=5F30A5751A199F9A7CBA97695A1547496B2F97364E18834D05D3BAE060E6023E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:04.823{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B91A26A98330CE555B740B8144AE8E9,SHA256=512409C476577E9B0BE6E5377C4F0E33CDE11C7DB884FE68A835BDCCBEE1833F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:04.823{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CF89793836B39E32F425DE92F2DD3B2,SHA256=09A1DDA77D41B419217F6A2B6E6A4F8BC22F678DC97CC1FCB74B8FD35F68DF0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:04.223{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BA832052436CE4B3E7A9F702551D69,SHA256=98E98BC7D669693D8AB249DE91D3FEB74494983CE6FE80DDAAB88623A8AEFE02,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:02.321{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-12806-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:05.374{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1D9287FB0113F47EE5D573DA19C00A,SHA256=6EF8193775D81DB176886FE7CBD0E6D4E8F7D9548CB4CD1C043FE73F084BA8AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:04.186{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001387606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:05.254{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C191F00BF227619C9D7FFC3E8D849C,SHA256=B13B47AE186D68B9BCECAAC90E2E9019CB13E7530A27E5CCD469411FEA123492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:05.046{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C29245A22DBC83BAD593420F51D3BDD,SHA256=26F7BCDCBED557EED8B9A572F50C0965384E529AD5C24C750F8ED77A6CA1A8DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:03.461{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-20746-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:02.660{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com50544-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:06.609{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5507332054BFB8B17CCC64EE30AD0A25,SHA256=41F1747D1EFD98B4C2447EF4FCABE8973AC25049C5B586831DEBD319065F7ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:06.304{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0173CFE5B48C5B2E8585862C46C1E88,SHA256=BF2AAD7B991D4FBAE8F0E18FC058A0857248B25D824E623E81C867A25025848F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:06.281{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF950C49F4FB934FE5E7EFBEEBDD4EA3,SHA256=AE3CD95DFAF547AF125E91A8043F8B2E348D7090120A63617C783FBAF8BB0A9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:04.670{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-29415-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:07.765{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A33760E3266EB66432E99B569C3629,SHA256=44E1D5DE1E11C03DE1E8EBA3C12480330AFEBCAE167293C107AA1426042B7A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:07.320{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABDF2E347B488656E0D3D49139733BF8,SHA256=3682216FF02F103F6E6442AE66EF0DBA778EE1578F3CA97EAB7A435EC20D1B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:07.437{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06DC9D3E90FF1BFCED9F7C18082CB769,SHA256=F4A0FD5D696C0650EEF12805C2837F6701200BCD1A173DD3DCFEEAFD8E602FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:08.984{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE54ABDC80DCA7AE5CF88A120A2226CB,SHA256=847E01CA3C6D502D909AEFEF2633B747C58AF80D977DB657201D3707769ED19A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:08.350{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF6A4269A9D6E9185DE9A0D71040C234,SHA256=D117897F4CAC2023AD3697EC08AE60F2BD9D583DA50F46A7F64E872655AFCD9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:08.593{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B272EC38B794D9D5217D51241559FC2,SHA256=29F50F00A37C37F603717A0ED84B65DD3E133F94112104335F8FFDA9C45E5AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:09.984{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8AE956074CCDCB516CDCB61FC9BE6B,SHA256=DE420295628267679DFD54AC64B88FBB3CE836C8B1B976D6E8F8A500A79DEF90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:09.364{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8FB1E9CCBBAD9CF33682E1A7A6B839,SHA256=4647FEEE4001BBAB6E38BAA324BBD8BBA61A738551DACC56D3D860AE4172FEF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:09.702{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DE24D62329E443594E56B4DA2A8B902,SHA256=642D192A05B395EFB890C17E06DE417EE06D5E86D00827512ABA4E789AF90E68,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:05.849{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-37506-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:05.523{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61820-false10.0.1.12-8000- 23542300x80000000000000001387623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:10.932{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8973391570777945CEADC885B88FCEAF,SHA256=1EAB46601E340FD4119E41B10F7144B3738DECB306128979E4F8D48662E4447B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:10.628{5EBD8912-E066-6152-CA28-00000000FD01}53445540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001387621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:10.197{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001387620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:10.403{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB73047A549F79285840F277235895DF,SHA256=A9929677A7248DAAB582FDA6DEE514256328BA4A78547FC9D49C45CA5CA57AAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:10.217{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E066-6152-CA28-00000000FD01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:10.217{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-E066-6152-CA28-00000000FD01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:10.217{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:10.217{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:10.217{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:10.217{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:10.217{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E066-6152-CA28-00000000FD01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:10.218{5EBD8912-E066-6152-CA28-00000000FD01}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:11.416{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78475A40E713D58EDDC5179EE5AAB010,SHA256=0D691F1808AD0FF029D07036421440227413CFE8545C97918866B2702734DB7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.499{69CF5F33-E067-6152-B8A1-00000000FD01}9123552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.312{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E067-6152-B8A1-00000000FD01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.312{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.312{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.312{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.312{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.312{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.312{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.312{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.312{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.312{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.312{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-E067-6152-B8A1-00000000FD01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.312{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E067-6152-B8A1-00000000FD01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.298{69CF5F33-E067-6152-B8A1-00000000FD01}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001294284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:06.965{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-45471-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.202{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05D7B8A48B9399FAB6AEABFAC1DAF039,SHA256=13CD4EF5749F4B80BABB87D24D6615EB15BD83362E234D14CC96E8887333A88C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.046{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08AD6D2D35D6507B7C4F92D43922DB5,SHA256=241E753E1A8F3E6206CC1826B45B8B7E80997FCB240A8D8B6297FAF72EC4754B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:11.253{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B57C094AB275C06D55AB9A2CB2E76FEE,SHA256=99240EB11DF77B43E49F94C84D1026506829C192A1A553C7CD31F3E4A15A3E14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:11.253{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B91A26A98330CE555B740B8144AE8E9,SHA256=512409C476577E9B0BE6E5377C4F0E33CDE11C7DB884FE68A835BDCCBEE1833F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:11.069{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E067-6152-CB28-00000000FD01}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:11.069{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:11.069{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:11.069{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:11.069{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:11.069{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E067-6152-CB28-00000000FD01}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:11.069{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E067-6152-CB28-00000000FD01}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:11.070{5EBD8912-E067-6152-CB28-00000000FD01}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001387644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:12.852{5EBD8912-E068-6152-CC28-00000000FD01}6202892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:12.637{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E068-6152-CC28-00000000FD01}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:12.637{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:12.637{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:12.637{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:12.637{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:12.637{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-E068-6152-CC28-00000000FD01}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:12.637{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E068-6152-CC28-00000000FD01}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:12.632{5EBD8912-E068-6152-CC28-00000000FD01}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:12.468{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9498D2C757D5FA5AFD1965742AEA49BC,SHA256=392D99558569CB175CE0DFA2E940E01F3EDBCA2344B203247AE2CFAEDF71BD6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.702{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E068-6152-BAA1-00000000FD01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.702{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.702{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.702{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.702{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.702{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.702{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.702{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.702{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.702{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.702{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-E068-6152-BAA1-00000000FD01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.702{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E068-6152-BAA1-00000000FD01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.688{69CF5F33-E068-6152-BAA1-00000000FD01}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.484{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5FE25164C896EF020973AAC2948835,SHA256=511BEFD67F7C73B2FFA9CEE75A3A6AAC760AA11D06C065420BD4815A9655337B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.484{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CC29A5FE99820B98375C9DF947760A3,SHA256=D211931F182BD1A96EF8C69AC16D8B3294927A54591610EE08950581037C1218,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:08.075{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-53409-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001294312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.234{69CF5F33-E067-6152-B9A1-00000000FD01}3056508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.015{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E067-6152-B9A1-00000000FD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.015{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.015{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.015{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.015{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.015{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.015{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.015{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.015{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.015{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-E067-6152-B9A1-00000000FD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.999{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.999{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E067-6152-B9A1-00000000FD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.984{69CF5F33-E067-6152-B9A1-00000000FD01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:13.639{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B57C094AB275C06D55AB9A2CB2E76FEE,SHA256=99240EB11DF77B43E49F94C84D1026506829C192A1A553C7CD31F3E4A15A3E14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:13.483{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6605668CC8CA7CF7BE958C39FC0B8C,SHA256=AF773C8F8DFE08FA35C4337F30AA27F2E8063DEDCE737CF55326370F89F7FEBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:13.702{69CF5F33-E069-6152-BBA1-00000000FD01}35721428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:13.406{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E069-6152-BBA1-00000000FD01}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:13.406{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:13.406{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:13.390{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:13.390{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:13.390{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:13.390{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:13.390{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:13.390{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:13.390{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:13.390{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-E069-6152-BBA1-00000000FD01}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:13.390{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E069-6152-BBA1-00000000FD01}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:13.375{69CF5F33-E069-6152-BBA1-00000000FD01}3572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:13.374{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2C9476A76460CDA68F3FF23298E7FFA,SHA256=E4E85438DB2EB1F7D0AEA29F7ECECD04E7418BA7A7E232024F3F697A02BBEC06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:13.359{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BB8469952F6C1887F198C566709295,SHA256=C8F51A1C39F22382BE628DB3CFD0B6D281D81A358A67280587EEC4CC2BE4E690,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:13.299{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E069-6152-CD28-00000000FD01}7032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:13.299{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:13.299{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:13.299{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:13.299{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:13.299{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E069-6152-CD28-00000000FD01}7032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:13.299{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E069-6152-CD28-00000000FD01}7032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:13.300{5EBD8912-E069-6152-CD28-00000000FD01}7032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001294329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:09.574{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-4064-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001387662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:14.623{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C32667535FEBDE57531E5D8E62F112F1,SHA256=051E9257ABA947CD7D0EE5F6695B52870E48C3D8BBA66478460CACADBFE49633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:14.623{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=1B91CE6EDAA6EF767B1C545B5ABA6C07,SHA256=229013E2A32E02D4BCA43CF5079EEDFF12DED309926562BA123499FC6E0CF242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:14.623{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=BF2E05A0523ACB75AD04E645E76A0BAB,SHA256=AACB9750E8820CEDB4330B94325EF7FA046A8E809D6D93B47FC1FDACE2ED6EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:14.623{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=63FF2A7745F513405BB4718655DA5478,SHA256=79C33AEA826B9AFE653BECE44CD51F6A3ED87EC49754C0E3A1E77C570814ABB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:14.623{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=680C4F0FE9B83F59A119D7BEF4E0BA0E,SHA256=51BA89A9FB3A66036073979A73DD8F956A8C3FAA5E6D220C21DFA944BF0110BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:14.623{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=5DF26739DA67C4A2BD654B14DFE32E81,SHA256=C47FB74BAC39126357B0BABAE3062D07D77B164A73766769D84479B1730A2FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:14.623{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=D275F28DA5F6E4C0A028BDB36C3D956A,SHA256=97ABFBD6DB05757337614B43FF3C1350A36A867B1AF1DC5071BB5AEC2630DA28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:14.486{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE3DAB1DC6C27A06AF7FA6AD72EE4D2,SHA256=6F0D03B21DB59F26799934F893B7BC9591CD7F23BCC90C0246496306B6F2E367,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.921{69CF5F33-E06A-6152-BDA1-00000000FD01}31443568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001294375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.781{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4CA04CA112E50171BFD3A0587A8D5D,SHA256=E5748842A64A2B3904E9242C886C3E5E05CE9D7318E487A1A993FBD0A2268C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.781{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3EC2BF5CD4697229C091DF9AB2370ED,SHA256=98159C896432250AB1179568812533C0BB520C2ECAD3EA1FE2F9A7F7A9BA913E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.781{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E06A-6152-BDA1-00000000FD01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.781{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.781{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.781{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.781{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.781{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.781{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.781{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.781{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.781{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.781{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-E06A-6152-BDA1-00000000FD01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.781{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E06A-6152-BDA1-00000000FD01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.766{69CF5F33-E06A-6152-BDA1-00000000FD01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001294360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:10.654{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-12164-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:10.586{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61821-false10.0.1.12-8000- 10341000x80000000000000001294358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.093{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E06A-6152-BCA1-00000000FD01}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.093{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.093{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.093{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.093{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.093{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.093{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.093{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.093{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.093{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.093{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-E06A-6152-BCA1-00000000FD01}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.093{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E06A-6152-BCA1-00000000FD01}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.078{69CF5F33-E06A-6152-BCA1-00000000FD01}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:15.505{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C20A54F024A84DDEC2F2F341A582859,SHA256=E3CC5E6056D388C160BDB8C283A9E53BF032692A83D791861F691F3597FAD563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:15.640{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C3AE5675D35CF50B8863A89A6B71D57,SHA256=33990D3BCBA8AC0FF1D1DCF10A969DECEB4C2274FCB02E8FE4057F490BBD080E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:15.421{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C199A4798140CD305C7276F804EDC05,SHA256=453ABB57DDF7714EF22A9CF62FCA37709032E0CAB1C614B2FFDAA0F6A964F3B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:11.759{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-19728-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:16.718{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B510100CBA4449F2E4D92A14F889D2E8,SHA256=99ACB4DC77F8C577127900F7B7BC3D4D340689CF4491F07DADC56081DD9509BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:16.452{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A6C0461E09143A53CF0B957A600A7F,SHA256=EA559286F8DD1D017BB36511D0D8614BD4F840D76467E3876FA1083E73A39F25,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:12.873{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-27594-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001387673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:16.786{5EBD8912-E06C-6152-CE28-00000000FD01}40082108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:16.536{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E06C-6152-CE28-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:16.536{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:16.536{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:16.536{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:16.536{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:16.536{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E06C-6152-CE28-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:16.536{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E06C-6152-CE28-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:16.537{5EBD8912-E06C-6152-CE28-00000000FD01}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:16.521{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67431A101483EEB5CE52D9106A1BBE93,SHA256=02041A9F1375054C6313E9210B1FA7F1FEF0E8258BAED0BF4A58D1DE90B30764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:17.539{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE22D82F0DBE931F3F43ABAE94FD3D00,SHA256=0918AEFD7EC4EB79B80FFE120568E05BC36F671C7AA7AA86724FAB6D2C107ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:17.523{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3FC0FF4F3B7C8813DFB849F720A508,SHA256=C71DF21E8D8B4FC66D10155EA114AD3CC9FF3B19A5E3DE62CAC4170588CC3766,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:16.224{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59129-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001294385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:17.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C0BE2A28A852D45BF4F78D670357BA0,SHA256=AD629FD517E3C298CC00B6A9F658529D2279445B4547C0B11D3A9D90B18EE021,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:14.012{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-35481-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:17.468{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F35E0C808F1CE6F508C284F5EB64C90,SHA256=C8B13BA26782B75240E37E95B64959491CF5777133FCE819D9CDA3CEEA74CEB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:17.386{5EBD8912-E06D-6152-CF28-00000000FD01}70686860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:17.207{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E06D-6152-CF28-00000000FD01}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:17.207{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:17.207{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:17.207{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:17.207{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:17.207{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E06D-6152-CF28-00000000FD01}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:17.207{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E06D-6152-CF28-00000000FD01}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:17.202{5EBD8912-E06D-6152-CF28-00000000FD01}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:18.539{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D8B480D90DB224081D4E658EEA0F3A9,SHA256=6B4D14B4E2322AF8377847D453BA3066D5D3C94540BC77DFD232DB35FA841EAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:15.107{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-42777-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:18.483{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211AC0FE00DE13E590D0FD529BD04CCF,SHA256=BFCC7FC54DC395F2525914539AD1527C50F9F3C2765A491B332FE580476F839A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:18.307{5EBD8912-8D2A-6151-9600-00000000FD01}46324120C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:18.307{5EBD8912-8D2A-6151-9600-00000000FD01}46324120C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:18.307{5EBD8912-8D2A-6151-9600-00000000FD01}46324120C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:18.305{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:18.305{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:18.305{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:18.305{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:19.953{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E06F-6152-D028-00000000FD01}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:19.937{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E06F-6152-D028-00000000FD01}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:19.937{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E06F-6152-D028-00000000FD01}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:19.937{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:19.937{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:19.937{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:19.937{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:19.938{5EBD8912-E06F-6152-D028-00000000FD01}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:19.553{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818F2425B204A83376F2BACBB1BDC40C,SHA256=E7E47C58ABE4AFF2DB3FFB81B82ED10EB670023509EDC898CA83E9172E6C6BC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:19.514{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2844BBBC9C7C71CA2663526400C758C2,SHA256=2B0ED620E7700FAF9CCE55BE7EBB16C237B0A03044FF50EBAF5D4C6418D361AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:19.061{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8F73BEF908DAA5D137CAAA8114ECF09,SHA256=5A5290435A24D386C0918E368FEB76D1F539951F080319CC431AB5BE87FCF9EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:20.953{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07F56223B76FBF90EDBBE472A4B331C3,SHA256=B35D822C3171BE1C7C0E9593241B2F6A8984CFFD40F5636A18316DDA4FC72044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:20.569{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A72173ACE8C50EDABA43ACFD46E896E,SHA256=59C9DBCF1B6D3721BC63AC639D74878D80DA55E511CEB2A49C04F00583A8CE42,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:17.433{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-58966-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:16.492{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61822-false10.0.1.12-8000- 354300x80000000000000001294392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:16.260{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-50820-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:20.516{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC07584C527631C067BAE364A27BBE35,SHA256=285E493438EFDE021D5C7FFF6B2B52FB97446E129562929FBA81AF41CF1F4314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:20.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E95B49A79B7809189DE960BB3B79F0F4,SHA256=7DFDBD184E9E714DC24CE98986B8E0164D9DB2ED74DEF000F948389EBC5FE484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:21.584{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3F70C21F0359BF1BC8D4D4BCD5878F,SHA256=08B159120C6CCF3F06E1606760F707071AD83C57091E5C939C18F5F4559C43FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:21.523{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B836147A04D2749A238561655B09FF03,SHA256=A03ED62D7055689D77A4B13094AEF2BC30646A04CD59284470B84F5884A92B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:21.273{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E963F7F3CEBA951BC70BA29D881E862,SHA256=6201D97377C2F0B21C8B5A0621315BB5B36A2EE9DF4A36309276205C6849D80E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:21.019{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5729MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:22.086{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001387706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:22.640{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0749C2A25BF48CBFA5E9F5822DC9A0FA,SHA256=7E13430A3CA6C71AB50985F50D47FB532CFF6035698348B969A5CFB5A7BDA5A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:18.541{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-7883-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:22.529{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA6773A4FF73C51CD6C2F415D928656,SHA256=9B6C3D4BAE684F831CF348E5FD773C40B2631B3AB96F8AAA4B6DA7AD39105C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:22.354{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EC20493FB8D4054B05C11EFCCDCF3D3,SHA256=1C3CDEEFEAD22FDB4680BC1E720ACA0156ABB2F43D73A97A046DD0FFDDEC80A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:22.214{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E072-6152-BEA1-00000000FD01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:22.214{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-E072-6152-BEA1-00000000FD01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:22.214{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E072-6152-BEA1-00000000FD01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:22.199{69CF5F33-E072-6152-BEA1-00000000FD01}648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:22.025{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5730MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:23.670{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074DF529D717DC218CF1870106644862,SHA256=85CE98493687A23CC7110570CC94A6BF9F83C7A5229F15217AEDB2F0EF1EFD04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:19.646{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-15576-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:23.545{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F08F1C4960C378B3949453ED36C6DA,SHA256=FDDDFAEE69793C234A7C859CD5FBD393F3266D3D882BB0760E7583B0376D5AAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:23.435{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DE0B8E127D66B6CD03C2750F868B946,SHA256=C2C6DA4C1BE4A73D41A4DA31327A1745C63A3B1DA7FDEFE87B717FE8ABAE9CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:24.685{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FFE7542081CF6B7D6C2A20B6468162B,SHA256=647404934A945299A3AA3AAFB6EFE70F747EAD322CD0226197888D9038FF8BF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:20.727{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-23135-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:24.623{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E92365F3C3BD5395C288C6761B92227,SHA256=96433C89E683444863AA5B0AE7355356F822BE0B3616C3592812E1DE1ED41F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:24.545{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F9A3B127A853EFF3BA9E9476AF0414,SHA256=0F6F9C6E455F062BD5624845311CB458005EB9F960768BA65F0406FB721BE0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:24.188{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1412MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:25.685{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7340DFC38A763085CA03678A840867F1,SHA256=B544CEA5781B702901173C8E17478575B8047904E58E2DCB190AE000D2C80BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:25.748{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B8E931D8C695D00875E9E8C97BFB9C9,SHA256=8B218B386805C56325B2CC67FD8F45D0F8E447629C2BBEF938F68F3FF1179919,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:21.840{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-30717-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:21.506{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61823-false10.0.1.12-8000- 23542300x80000000000000001294421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:25.545{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B03194620945C086E1F0FF151B13E3,SHA256=6DA932081AD55A6AA4FC98D611EBAA76F82AD6A7260694551B601CFD40297ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:25.202{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1413MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:26.873{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA45072896170C4955BE1ADE12032225,SHA256=B3632253C2FC677909081619AE81A664A43F5A24989A58D1625A42FA29384538,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:23.008{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-38253-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:26.560{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48411ACC69730FFFE0ADC4642AC63814,SHA256=59DFD406E507A51152CCB668848F350176ABA18A6A736A6660BD4C02320C6FBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:26.157{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-29623-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:26.133{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-29398-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:26.703{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FC1CEB888E4EF6DCFA3AF34F3A571D,SHA256=CF80754B3A3806FFC53697732D2F1D59A5EDAA916EEB7A5E957CF8462EF44381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:26.354{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E20449882F11EBE8FA6CDD660224A418,SHA256=8E423EEE493509521158F3A461FA42B5A60DD6A2A0421E8F8BC046A99AB26F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:26.354{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AA8116AA4E6ECE80F69CFED4261063E,SHA256=9408A0DCE4543182422C35C8F20C4FF7CAC401DDF335975751B96B6A7E8D3673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:27.752{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98AB47550B89B95E8E524232ACBCEA4,SHA256=D684245C13C65755A874AA217E0E512759671DC89BED07D4292666B74412D1C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:24.134{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-46591-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:27.576{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7A23EE5A3F045180DAF88FAC4EFADB,SHA256=B5E6596C7A5F24C58534386F932E55575918D776CEAD025B0479FB20D0B34A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:27.437{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E20449882F11EBE8FA6CDD660224A418,SHA256=8E423EEE493509521158F3A461FA42B5A60DD6A2A0421E8F8BC046A99AB26F7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:27.377{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-36095-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:27.188{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001387721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:28.767{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7083C2F755118D79B2ECEFCB7D892CA,SHA256=874779A12F7EE8842E7CA07829856C149067473F3F3F0AA98A81213350B92B12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:25.262{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-54795-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:28.576{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A03D9D6C37C150C274D579C16D13FB,SHA256=EA7AD8CF1325785690B2CD865A371C45C4F0E9A7804A3A126C4330406348B54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:28.583{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6603672245936BD7E96B416F81AAA04,SHA256=EC244DA77B5C9DEF23A77CA8F9F19B73C538D0AF0ABFE1F3275844B2F273329F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:27.998{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FDCE70C9443E5EAF8BFD681A05571EC,SHA256=A98913D538DCCF9E8B1586E1C08EBB1A9F36E2DA152CA859DB2EF5FA562E67F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:28.817{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com43632-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:28.473{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-42024-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:29.802{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F698F76CA7B1D512CEEAF23AF3CC7644,SHA256=27501A5B9E8F29E2558602CCA0EE45DE0F4FDBF6A738288CDD2229F4C28DCAAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:26.372{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-3446-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:29.591{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E0EFEA194F2AAF7309A15817E854FC,SHA256=0AEDE280423BF4357949C350C113B7198FEEFAAC2DF2C2EA6F78E27A0620F08D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:29.683{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=530E4025A61760ADB5332859B552272B,SHA256=4CC5128CDD78E175EED7054E05C379390F14AAEC8BDC8321249EC22EC11F6BE4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001387725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:29.483{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txt2021-09-27 08:10:19.295 23542300x80000000000000001387724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:29.483{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txtMD5=BA7214D8CCA460D85929C9419B4AE7C7,SHA256=ACE1C22C472A042B22850BCB15DA3C76AC29FC84BDF47DC0D92F2FA92D792168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:29.091{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B6A17FDB151A9BE03127CDDE037E8CC,SHA256=5E562AF0831DAED571A0681100A97FB250AE39D31476F43C4DD789D92153282A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:29.603{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-47931-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:30.836{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA518094A2FEED642B7652659A65FC90,SHA256=05802CF9F71968A54609E00B9C3F3546158F5BFED2409FBB31CA3982F8FA2312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:30.820{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0682B5A3B736DAB25036A1462062491,SHA256=C725BE0E1C1EC89F81B845CE96FE7A7C905101FD240B8DA8E3DE2E589C8BE644,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:27.516{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-11217-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:27.459{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61824-false10.0.1.12-8000- 23542300x80000000000000001294437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:30.607{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7C1D85DFFD37785DF32767DF275BE6,SHA256=67863DB59BB5C2ED2DA282240243A36DC3272444AE886BEE88527D342C53E8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:30.451{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C9A450B4A10CB17F9E1CDDC48D788BD,SHA256=A18C3B4C5E477430B7E970B0A6F6969288004C4C2995B9D2893E3FA4F8054CE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:28.823{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-20098-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:31.732{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5149A7FC31535D7E3D27DF222A4A359F,SHA256=3719BAF5A421F9C8A68446D5C84D9EB8CB08EF59B8B35B77B475DBC2F1C22336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:31.607{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87559DC82F2CA757F3CE808701BAC3D0,SHA256=BFE23DBBEE4602ACC2DD76461BC8F88CEACD94333F7A2A2CF11F063962DA4A71,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:30.720{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53834-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:31.966{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B30277BBD1FFA47B9E7CE6458231CB64,SHA256=EA7C5C62FC7D52BF7B17057B846EB424473EB9B9FF4149F2E412A6980DB18D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:31.867{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B170899D167073EF5F8B9A0C3C5338,SHA256=10810530F933D256A21EAA349637794A6CAEA9C89860A1D2B4C5DF41F3E0EB7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:32.901{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC14DED2BFEF750F8015A6D532ED0B3B,SHA256=B46DDC3663AEADA96EFD117D01AA5A9E90A4102732A9183E41CEBA76C55DC583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:32.826{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97C42676B7784DD3821A09114184DEC1,SHA256=C19187DC7AC302294A3932F9D54BFD5CBCF8926098E90DC46C23BC3146F2E892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:32.607{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E58208F25F6CFFBA681C96FD40CA5D1,SHA256=BF603DE19CB25CB4F60CB5F3FA3CCE0F9B6C10D272F980C72D8639FC6ABA7F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:33.918{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95337279F4EE6E6E7E4FAA29905FA8EA,SHA256=8338349236D54C4480FEB43B74E4D8ED840E7E91B7F37B1A0B399EF4229C2E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:33.623{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA1EA1BC2A75220DA5EF8B8D4648E49,SHA256=9B943CF71D6794DF466C7646FAC83A1021B0D120070FA1E3071F77DAA819FB51,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:33.153{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001387739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:32.989{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-6729-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:31.877{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-59750-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:33.051{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C248C120C5621176E636EB1A6220F18,SHA256=F6F254B55216F5BA12EF8CF0F8C64DC2F1B8EEC2E32938EBE6FC95754A7216E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:34.638{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C980F0072762784180E76B70FC425558,SHA256=0820F48BDC0F3C8A4B3DAEE00E7763D7123430B7D66FFB93168A56938C0EEEA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:34.933{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC1A4CCE1D1C98F03C3E0CBD0D34F5D,SHA256=35E8AF99B26481BC789B89641E8A4E32F836F48F099A602BD6758E736C2C6C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:34.199{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=045D5665D5B4D86C70B2EE9A7014FBDF,SHA256=0B102F4CEEC728C0F31CEBF189852BE19F7973D987AB18A17D103C4D78EBA381,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:30.107{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-29148-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001387746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:35.948{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104F5F80FBB2AA0C2203C161E8D5C670,SHA256=1203F8742AA482DDCA6DF0387B96F7B6CA0DA666CCAB5542E07AADBA73B3F8A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:35.654{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85672372CD6D10DEAA44A627E289EC03,SHA256=742DCB286505B29FF3AF5A4CA273578EE33ED72C5FF43256A8EDAA4B04005CA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:34.117{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12363-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:35.280{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D92B0C83DB48B253CB75510328D42B70,SHA256=743D92FC26E07E444F93C5A451FA24905289B8F865220B60B9DB2BC298596172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:36.963{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B5791EE70C688EA367294E37637DA1,SHA256=0A1016FF66B74BF9B0E79932928250DD682F8D38EE72128D8CCCF7F0B7A980C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:36.654{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30745A9CF7D1919F066405BE03719A71,SHA256=2BE5181EC9CD5A8E3B9DF787CAD5A4A510824A79ACC967D80169522B7548146F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:36.305{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-23759-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:35.221{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-18117-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:36.363{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9088654700AAF3BF4281008A07554114,SHA256=FF39A419AA1DB08EF6EB70909D7384C09FEA63540123E29341A8E8A28965CEE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:37.979{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A15D49DBC37354C5104AD428EFB2149,SHA256=3A7CE3DA6134F5330BE89C1811C4C7E23A9378DDEAF68A81F4FE656BD53BC700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:37.654{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71680042B1C0AD4B670004B3B7B4B269,SHA256=82983EC27E732E5D3C822EE588D2C3DC619A9E5C7AE867DC79AA4B8D472DAB78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:37.463{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=889161578B5763EBEBB427F53A2E7847,SHA256=0100A4C3D3BC70D777F581A52B856B1DA38288C33E4821CB14F55AC82FE4F0FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:33.443{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61825-false10.0.1.12-8000- 23542300x80000000000000001387755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:38.995{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EFF0B16B257955058079C0245998B05,SHA256=E106E33E467C9635A6803F84C137DBADC692DCC614A0BE7076909D2E2646940C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:37.402{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-29511-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:38.657{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B17B00B8405C1108B7CC221F740B782,SHA256=A5FDE6C1D3AAFE455CD17929BCA05AACF946ADA92DAB5A64F154136962C97B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:38.746{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A46A82A596CDD483E885DA323F394834,SHA256=25356A90364DF94FECF5A4EDB8C47AAF07F5E9552D796482A68580130E63FBC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:39.891{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97FD9D0FCF5D64BA9DDDD332FBCA1899,SHA256=A5812648004C6B482DAB9D1B6C56B22248D1F623A0E9C8B48E06AAF66022CECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:39.876{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0912607838E891CF0AA0FD32ACEA9912,SHA256=F3FD40FB14254F1F415BC3F48671D73DC7E189E34CF796DD4BC5C1128D147B5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:40.938{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21379272389BF02B7A54E10B997C0456,SHA256=479B44A9D6F3178169D02F460ECFE63626AABFB2BA15A5254E85602E01CF4C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:40.961{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D899FF7CE63690B19057DA3CDB0F3D34,SHA256=06992BCA052A0F703EC69272CD3D655F1DCC9B361E975A4967A763ACB5CAA3C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:40.029{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7220ABDB84114B423B5942849CECE57,SHA256=E4FE5CBA999BF7BBCCC42963C0CB4B5844482BB83596B9BA2E4688E32846FFB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:39.148{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001387757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:38.501{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-35301-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:41.954{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26DB9955CBD42C3B26E2672198ABF0D,SHA256=AC682FCCBEC7E0E83303F8C7B7B8C37D6CA4E8838F5A5DDF47A7FED20B46226C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:41.714{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:41.714{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=16B05BA7C3E67527A658ACA02D76A235,SHA256=59E0C4F3580591131755D162D3B9CE16A320D715A256354C487787290C905BCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:39.784{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-41807-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:41.030{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73490EBE6140D1B1AF9D42F0B31818F,SHA256=7036283DA43033645176D63A63E473A603A3BE265BD9683AC679798BAAE7F4AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:42.970{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63BB885D9FD99583E5022A902C384964,SHA256=8B7238DBEF774002A7FDEE08DC96D32534BB9E4CB51D97733EF535157B178DF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:40.912{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-47466-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:42.095{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69BA176C037DC509CC581A198A958FBB,SHA256=069924C9C0868D3462C3CBCFD9DDFAC99F5CBD89688925AA04E4843B921CF749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:42.045{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95747886114641284E241FE3621D01C,SHA256=A130994E4F19555888B34E56CC29CC95747ACFE83B36790C5189D7219820B907,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:39.431{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61826-false10.0.1.12-8000- 23542300x80000000000000001294458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:43.985{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C73886B1EC2653B92651179542A13D,SHA256=FBE44DD20DB43CA988F84E0E549510317474B19EFFF72A43574F8B804384EC59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:43.175{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=388F32D1AEE0CEF1569EBEC74FD73361,SHA256=158D42F0A08A65D356F53A66D754FEFA9DDE339CE20833D382EE96531A5CAB4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:42.012{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53213-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:43.059{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9630E38D8A17921E4F2DC39DF64D1288,SHA256=FF0AFC24048F064B3ADE46034CE92AF354504C97DB38EA4CD99DE01BB19505E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:44.985{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A269980A3D4483E24A8BF96488C0317D,SHA256=6C0F2C81AF47012941D105B3A95BE967C63456F96DC30736382CC8CDCE84C777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:44.407{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8838F704DF11B670880BC115ABE6A38A,SHA256=2CBC06509EB6C91DD72F17752681FB229D0FC9D12AA61894C47E8E397616889B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:44.411{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CC7AD024A417724878DD9FAC5C4CE1B,SHA256=F4C7FBF1DC7095656DEA8AF2993B9C9C728A92141EC468876485A8FC7C2C3DD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:43.163{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59134-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001387773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:43.163{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59134-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001387772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:43.132{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-59031-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:44.073{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9628104E04718F6F93B65776CA3EC740,SHA256=39D23D4239E0E99A6AFF278F4C0B0E69A62ED4966878080CBF8B920BCFE1BB38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:45.610{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEB513DD677B13A8CEB6E8E946B992F7,SHA256=443F2BCF2FBDFCF1F99F3DF746253F7878CA385CD5E68B25D1E7CF4DAC184C14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:45.094{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120847B4866F75527D7028AF91BB37C9,SHA256=A1F63C12330F3F464BF36B6459CA6534F81414D3017988EFEE9E862E06A83DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:46.173{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4638BE9540155B175F8601155DBF1812,SHA256=B9068D5F74041EF1FAF2C7E4D3467000032D81E4C59638D459E8179B50E6807B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:46.689{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07BD4F04600E0F28014D67844705F237,SHA256=DF9EF9614F3DF1DE576A706459040CB04CB782B788D19DE863B3A118081EE6D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:45.509{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11985-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:45.176{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59135-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001387779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:44.311{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-6200-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:46.108{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7A9852C25C6D65B614CBA5FFE64208,SHA256=4FF829CDAB130F599AFF6C4D7BABED16BC5647EE37A50D67B90D0A1223EC172D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:44.526{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61827-false10.0.1.12-8000- 23542300x80000000000000001294463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:47.423{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:47.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F647D8B52E4628C285498CB66FC631D,SHA256=7BAAADE1FA1CEE2B59E7817C2BB7B1F7AEC15E4224A6E606C6D0DBC5FD1637FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:47.953{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:47.953{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=973F8FE7399EB4CF773D33E5993AD4E1,SHA256=3EAD3BA64D89F7BCFABE84383420E3012689D3FDD4AB73928BE486EBD0BA85F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:46.634{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-18105-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:47.123{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE5DBB6BE7FC02ED8DF83682DC5FFEF,SHA256=9B3D76508CBF5445DD6B2F299001ADCA0ACEF65177C11136169E29460F39B84E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:48.407{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51729124F139E35237A5441049524DE0,SHA256=9AFADC9C309997A9B44E2181831031B32221B9327B91152CDEE05B20DE3D4E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:48.153{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B4DF4F9CB9EFA650EDC68740D9F011,SHA256=CAD6A8EEB8F5594C4BC7F98B971E191E696466B60E81C3750CBB7B35CD971305,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:47.256{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-34311-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:47.147{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-33773-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001294467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:45.759{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61828-false10.0.1.12-8089- 23542300x80000000000000001294466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:49.407{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84AF99C89BBE2FDEC49EBBA2134B3186,SHA256=5846392A56F9E4DACD87B2B81389DAEDD2BFBE2DD551D4F28955C042304CC868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:49.220{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D920AFC00163A308E808107E24F69EB,SHA256=032C8F746E0A82793D045C9EEA802AB3898A244B57217100099F6BAD26BBC287,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:49.005{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-30085-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:48.940{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001387792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:48.407{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-39884-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:47.796{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-23550-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:49.087{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D0FAD6A641E2D36B795526F2A380747,SHA256=A584A8EB0E33736007DA7C8DDB59FD8563F344D9182558E2054DAC1B63312DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:50.423{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C6E9B64E31220538320CBBBFBF47B74,SHA256=33011A799ACB6D5E8F4E6A0D1BECCB3DC41D6DDBB71D97DA253911861CC166D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:50.251{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=308CDB5FDC60EEF187431E0D10C78D05,SHA256=B75E01C0DF7074C3ECE377B5CB607B8456E333C16ABA8933ADB8D428229FC4AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:50.236{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D9AB5A1E6A500CDC9B38A8A3A36FFB,SHA256=682BE8A07108E4070CCA8DF880E8DE5B95646426DF0FFBFA668F50667854D61D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:49.581{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-45761-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:51.438{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C7370A625668B5EB320A9589322A3F,SHA256=4DDB5DDDB9F8FA2C078DDDE9862E8D0098F88854086E203DF6F5198BC06112A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:51.418{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6ADF8790CE54AE45BEDBF847ED9165A7,SHA256=C9776943A0E4D4E30370B7EBF3BC42B00F82DC8FFDCE4726EB2EBE6CE1A791AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:51.266{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B37A6D7464A02C2FFA138775C470DA,SHA256=9FF28BE76785C40934349A3D700CD520905C4116AD1F7AED391A7AB1608ADE52,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:51.085{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001387800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:50.776{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-51835-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:50.107{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-35773-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:52.610{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EBBE71AA63FBB90948F3D1A1D5A9B6C,SHA256=8BB7B20F0E574D89B3A111279A9146D60ADADE4675D5676135524C730AAC56C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:52.533{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFE735C0DBE38A75B44C4F2700AD4E53,SHA256=8C7A34BB64BEF8FF7A18DEC9A2278BDD444EA0A978A87E1A41F7EB1D71242C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:52.283{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB2CC7FE29FB3454B00CD7E5A23FB47,SHA256=F316D7ECE47DCCD08172AF509EEF034A40FC22D1CD27A12EC14AB9147F222CA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:51.302{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-41875-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:53.813{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F608A2D3B3605C88A0EB3F6C1AB36E,SHA256=F421A602C1C6A8A0748E762D6277425F94A0F174FFF81D3C9E8BB7124ACFBB8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:53.650{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=439CC9CBB057AB78700E431087FEF11B,SHA256=FFC632304964E15C129C847561B51D54F581C492A86ABF1233131BE962FEDFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:53.335{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8D2492C8937762661D7A96E560452B,SHA256=1FA52DFE8308798555C82B190D6505E8F379450BFFFA8F06941BC2766D38FE2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:49.572{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61829-false10.0.1.12-8000- 354300x80000000000000001387808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:52.455{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-47747-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:51.863{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-57632-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:54.829{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431B1F953175DD79D6D46E1DE6634080,SHA256=854A62685B4325D53253694547C5BA66B64E7206837D0FA87EF38B5191183546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:54.749{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F372ED81FFB66E6C700A302C3FBF6FD8,SHA256=267EE89A21E2DAC5B63B720654E166649BE6A8A89CEF70EBFC6100E0FA001021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:54.365{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA1D171855D3D2D59A1484E929D9465,SHA256=D457502ED0C9E19FE408EE41400A327AB404A05FF51D8F27C1414F3C3B896FAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:54.157{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10528-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:53.572{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53398-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:52.983{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-4192-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:55.845{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E672B96089954F3844A6C3E34D8D964C,SHA256=85A57E99AAC2F501637B824939F5443C523C0D62D13C609617FCEFCC50716F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:55.883{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4568EF0E6AE35828BB2CE7029B82DC6F,SHA256=2FA2E66515847F0FD3656F19A6E4A2348DD6B076D3D28CAA39293C86AC06EA2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:55.383{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2143CF3DC610566B23529A436778A50F,SHA256=D559CE9FE260FC73190F59FE4B2291C517DF67A3B8DF3272694E8607AAF0DCA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:56.845{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F78388CC6BF4A6FFBC6398B21A9721D,SHA256=E55AB8ADA6A2B57AE37F52935E911F5DBCEEC0B3D76907A020428F14E88BD017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:56.964{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E9D0F23698B82D34DF54CCDBF6FA1D2,SHA256=D9F3D2FBA400EC98C12EDCD4D48657D502F8391E2DBEE1E76BBF56185FB26380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:56.401{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D9EAF91049B8B4D0ACB82A327808EA,SHA256=A2E6219CB6FD690E66D6691CA3DA5CD706DBB978D6342EFD285FB1B865339E4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:55.773{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5957-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:55.276{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-16046-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:54.690{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-59109-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:57.860{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3265CD39FBAC8DBBA5D27D1070E227AE,SHA256=7E5C39874CEBB0429973461D1DEDFA4A73FBC9E526A24BDB0B4AF2915D78766F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:56.357{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21548-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:56.205{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59138-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001387823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:57.416{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F2AFC0D26DE04A98A00800EA578824,SHA256=F522AE13CE3752FA948573E4D5CCFC3C85048B01680D7BD4F8342D6D5C67C0C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:58.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA822E18FD96B7482085D71294C28A01,SHA256=05F9E1A40729E4698BE980817FCDA6CCF5E8A8CB7A20BC3983FEAE6841023A8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:58.005{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-17040-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:57.494{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27432-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:56.904{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11433-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:58.434{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5647B845E7861759E4863D2ECFC8625,SHA256=471BEFD33A524E3B3A84590D4C0BBE71D5767513A60DD4AEF93281314A2389C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:55.447{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61830-false10.0.1.12-8000- 10341000x80000000000000001387827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:58.303{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001387826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:58.103{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F138A735C3598E9D1F610375827DB65,SHA256=ED29DAF77049CCD0DEA759361118867CA9FF86590961A21F47DFB5F7DFD69F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:29:59.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA5A842D997CCCFC312836523EDD69C,SHA256=F47E5366776DEA365F7B84688B38004AB1571890D31A9E0200DD2C9745CD23BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:59.734{5EBD8912-8CC0-6151-1600-00000000FD01}12966536C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:59.734{5EBD8912-8CC0-6151-1600-00000000FD01}12966536C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001387837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:59.307{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59139-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001387836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:59.307{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59139-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001387835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:59.154{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-22980-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:58.627{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-32805-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:59.450{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B9019D53BCAA94CE704318D09CFD4E,SHA256=2ABF3067051F5974DBF54B89407BC980E740D5125DA55C6476138045890E1631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:59.219{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76049B95EC120EEEA5620DE857D3B033,SHA256=7CBFB6C238B8E1A1C5A9B80B692717E0BFD0E9801C7A2CE611C5695BE3DE69C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:00.896{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CCC7EEE1C2553D5207305B31933E5E,SHA256=94CF6A68A21AA46D3DE5C6E64E16791A7EA172866E5F11AEA26856BCD7741C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:00.565{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D9EE1EE34C236E802E3314013B2DD52,SHA256=47D4D0BE90CC8B87E8DD629E3AFADC11462EABEC732C048AB1E2F760E93528A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:00.266{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-28710-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:29:59.975{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-39815-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:00.518{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3615E6D140843D535AA36DB3D188E3C,SHA256=F0CE3378E9609C03961495F7B54957FC575163688CEBA7226FE10CED8FDD13DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:01.911{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4239CF9E860ED6D42DDB6CAEF42A5E,SHA256=FF2B1F37229AC64D8310E89E01D992BB3A9BD7D868F0B9D180646E6F1D30B270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:01.648{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98AA8DC9B71C3E71B474EB8388179A31,SHA256=FFAA7759EDE6D5CF9B5740876A95073BCF81545AB382521B4859843AED42D4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:01.533{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A665AA9F8C084D4AE7EED0AAEEAF71,SHA256=2C6224326410C0469C38CF3D453AD739A0240F53E994A893558E85A2F5885809,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:01.402{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001294482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:02.927{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D376E122430D134C8EB9064AF81479,SHA256=FA806CCF4A9CF7BE408173E65D32C0EFC449944599EB6A831ACAA45765B1DDD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:02.862{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C42BE4302A1C66229173989590679C6,SHA256=F8B30AE04FB808436665FCD34D8A87602DBA342C21E0029ED2B399DD3E075B5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:02.204{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001387850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:02.157{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-51009-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:01.590{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-35522-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:01.058{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-45208-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:02.547{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C11339F9D87DF86347C44549C735601,SHA256=3C5F962AD8A26F32DC09C573E201C3F777A5E7842A7D0C36E870C54AA31793F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:03.946{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=083B4876C3ACF1430B966939884FA4AA,SHA256=0CAC0985A9D91B7FDC2BB9E7FBCA4C866C1702F23AED4A9497D9B30A521AF9B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:02.691{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-41252-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 13241300x80000000000000001387863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:30:03.615{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001387862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:30:03.615{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05302157) 13241300x80000000000000001387861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:30:03.615{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b443-0x08838fc0) 13241300x80000000000000001387860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:30:03.615{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b44b-0x6a47f7c0) 13241300x80000000000000001387859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:30:03.615{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b453-0xcc0c5fc0) 13241300x80000000000000001387858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:30:03.615{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001387857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:30:03.615{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x05302157) 13241300x80000000000000001387856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:30:03.615{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b443-0x08838fc0) 13241300x80000000000000001387855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:30:03.615{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b44b-0x6a47f7c0) 13241300x80000000000000001387854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:30:03.615{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b453-0xcc0c5fc0) 23542300x80000000000000001387853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:03.562{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68824A89109432FB5B9F8258BB3AA4BB,SHA256=ADF62D9F53158AD0926D8972A950AD5068C3368656557E4FA5F347874CC15732,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:03.888{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-47599-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:03.285{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-56852-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:04.582{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07488DD1E5DD7F62AC7337887EDDD073,SHA256=0BA3CE65EF62C265975EF6426E2291B10FE434BEF5380F5E108B16A372207E24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:01.419{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61831-false10.0.1.12-8000- 23542300x80000000000000001294483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:04.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13BE18FB5E021FDD1403E6AF3E8FFD22,SHA256=D96E8D4EA89EF356D67128A0D1E32C8FFC8FD67C12B7B3A38D78202D894546D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:05.485{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-9454-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:05.029{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-52972-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:04.402{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-3920-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:05.644{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB648A08A82A4031C8CCEB3F08E670F0,SHA256=6914FC67786B505530807DE70CC81738DF02FF3E73B56B887ABAF8C98CC414A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:05.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B79798F5F320CFCBDB25339481CA5DE,SHA256=7F5940D23C539C4B02B65B19E1EAFED6887D97C774796CBEB2D3BDFB38BC2EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:05.228{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=547F7063550C2E5207F7F2C4B1FD32E9,SHA256=6D16C1DA961B85479DD11F258560A90567239C10BD4F31EF6651AE2EA46CC1D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:06.413{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-59958-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:06.220{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-54824-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:06.198{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-54647-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:06.674{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5834B1E9BDC5C1EDFC1EF218D6A096,SHA256=D632D282D43D1ED70AC3A1C45BFBD25C0D00178601AF54489B8482DC133324B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:06.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C78B7C6E943BD4C1922E485CDD0694BA,SHA256=32CF4CB48FBE0F54386FBE43ABC6FE1B273EE93A8BED8B349D2D560991626EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:06.275{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DDDE85E8BECDF1B15AEECA57611E6D6,SHA256=C1C5E0D74F933C0C7E5F77888D8E9182C745801675A2F20751B4124DEAA607E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:07.334{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCB3841C9049E15032698F430E8FD02,SHA256=527D3C440828B4D4A75A88CD7B674B99C279C9F370A9B23EE1DDDB4B4A046A81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:07.551{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-6900-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:07.296{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-59053-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:06.793{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-15959-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:07.693{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F26274202C5260F567E678E1F66D7D,SHA256=8C2814242D4F6128689204917E2EA21D73BCD68CB11A0863AE0402187A2815C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:07.342{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23BA526BEB9F3D4D841B009A1368EB47,SHA256=AA49AFD86084AB80334FBF81922C32E1F2EC2A7CE49A25FEB457CF2F8F3FE807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:08.567{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0C178E7BB014ECBB6D0C1460493355,SHA256=556980C47B2ABA248FC1C28AADDBA263F19F4C2A48254F8B7316DE51103344CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:08.451{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-4538-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:08.176{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22564-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:08.161{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59141-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001387885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:08.710{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94DF36CF26B49C03AFF9462F6138010F,SHA256=75F680D2AE791A86F9F343A8ADCC91C22651E8A86C7889667AFC39D47B73E122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:08.542{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44ED6D7F6BEC7594035AC6D0F5B0E77F,SHA256=D5D0CC33DCD558CDCCFC41EBB884AA514816BC2C50C41BAC5B40D7964D0F1406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:09.739{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD50308D0220E3BA00DBBAEA673777B,SHA256=BC82B32B21F85BDDD4B99FE119C89944A9D45503C8DE2B094376C9C227302587,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:09.286{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-28579-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:08.674{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-13234-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:09.771{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61A348EFA81BD9A535EEFF6A2490A89,SHA256=756547B33C6190AAB086D0C2A0C7769BB4AA3B15CC2AD35B590E542878142CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:09.609{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=792A4631B7BC4F1C6DA96CF93CCE6336,SHA256=D17C16A235657083409FAB0F19545CBAE4D4F9102A3A2978844F9DE66EA4511D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:10.755{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA090752BAF9C56FCCA97FA2FEA79CE,SHA256=7B85CAB9AEDA9C04B2B6573C678BDCE48BE3CCB18A51532BEEF806F29A9B5B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.940{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=947224734EBCE8F31709E802F147F9B3,SHA256=8236EDF5E148D68D69797A5DDDCF2D1FFDF76D9F6B295347CE2D4441CD9A04BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.489{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-34407-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:09.947{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-19274-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:09.564{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-9321-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001387911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.840{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E0A2-6152-D228-00000000FD01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.840{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.840{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.840{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.840{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E0A2-6152-D228-00000000FD01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.840{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.840{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E0A2-6152-D228-00000000FD01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.841{5EBD8912-E0A2-6152-D228-00000000FD01}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.840{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42CC46B5BCDEDD42759137ACB10290BF,SHA256=8179F33A63AAD06308FF02F2A9EA2200F14396F3D01D5151397DAF68275BF503,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:10.396{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:10.396{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:10.396{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001294490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:06.450{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61832-false10.0.1.12-8000- 23542300x80000000000000001387902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.771{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B855A76E4B52C7C26E9F2AEA98699416,SHA256=946B278FEB31E0685DE6105141CCD92A4B9F3819A9986CD2A57CC0AB645AD2E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.309{5EBD8912-E0A2-6152-D128-00000000FD01}64446196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.156{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E0A2-6152-D128-00000000FD01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.156{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.156{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.156{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.156{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.156{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-E0A2-6152-D128-00000000FD01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.156{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E0A2-6152-D128-00000000FD01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.156{5EBD8912-E0A2-6152-D128-00000000FD01}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:11.974{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C704CF725C56B5885E9B89010DE2FC90,SHA256=BA945C2574688E8C984AA94E5794735CE7F32936A4B986396A67794CFEBC4A62,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:11.212{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-25668-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:10.715{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-13764-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:11.854{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8474B30D01B7463007F71A75B251F2,SHA256=0264DD2A22535529496D5D1CF8B60424EF10A46A8FDCA0E67C0129031A786E54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:11.521{69CF5F33-E0A3-6152-BFA1-00000000FD01}4162824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:11.317{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E0A3-6152-BFA1-00000000FD01}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:11.317{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:11.317{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:11.317{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:11.317{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:11.317{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:11.317{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:11.317{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:11.317{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:11.317{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:11.317{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-E0A3-6152-BFA1-00000000FD01}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:11.317{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E0A3-6152-BFA1-00000000FD01}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:11.303{69CF5F33-E0A3-6152-BFA1-00000000FD01}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:11.839{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F4BD82BF7E5D5BDDB799A37E0B53E26,SHA256=F99964AA070789A3345B13473CA3AAA586B94529D522550089D7C7B2FDAF3FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:12.869{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD851CC204888C24728006B68E6A89D3,SHA256=8114FE1A43AFCAB0BEE557EB1FB4D669DE5E77C1E999FF7ABC6431EFDBA243DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:12.869{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64252D9ABEEF1D6B23613E6527AE1B78,SHA256=E3295DC18430B15616C421CF7F67CC1925929F780FD9C9E510C363393088823D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.708{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E0A4-6152-C1A1-00000000FD01}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.692{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.692{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.692{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.692{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.692{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.692{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.692{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.692{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.692{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.692{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-E0A4-6152-C1A1-00000000FD01}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.692{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E0A4-6152-C1A1-00000000FD01}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.678{69CF5F33-E0A4-6152-C1A1-00000000FD01}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.333{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=479A5B3CCAB4E30CF5676F7B5977FCF0,SHA256=3705DD06F974B28C37EAE64480AD0B6E1588058530DD594939281E1AD94CF262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.333{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20D9CF646FFB06654240B7432860B392,SHA256=7498176A736837D3F9839271D3F805DF6DED1FBBB694F0489801AE119125D013,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.255{69CF5F33-E0A3-6152-C0A1-00000000FD01}24323384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.005{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E0A3-6152-C0A1-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.005{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.005{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.005{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.005{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.005{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.005{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.005{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.005{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.005{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.005{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-E0A3-6152-C0A1-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:12.005{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E0A3-6152-C0A1-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:11.990{69CF5F33-E0A3-6152-C0A1-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001387927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:12.638{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E0A4-6152-D328-00000000FD01}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:12.638{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:12.638{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:12.638{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:12.638{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:12.638{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-E0A4-6152-D328-00000000FD01}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:12.638{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E0A4-6152-D328-00000000FD01}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:12.639{5EBD8912-E0A4-6152-D328-00000000FD01}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:13.739{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=479A5B3CCAB4E30CF5676F7B5977FCF0,SHA256=3705DD06F974B28C37EAE64480AD0B6E1588058530DD594939281E1AD94CF262,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:13.599{69CF5F33-E0A5-6152-C2A1-00000000FD01}24842472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001294552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:13.489{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECD36B826607CF5A40F26F01CEBA086D,SHA256=6D79E4155864D3657FC12C8E472469BEEFACC10BF56853AF3A08A35439D73429,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:13.380{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E0A5-6152-C2A1-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:13.380{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:13.380{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:13.380{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:13.380{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:13.380{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:13.380{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:13.380{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:13.380{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:13.380{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:13.380{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-E0A5-6152-C2A1-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:13.380{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E0A5-6152-C2A1-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:13.365{69CF5F33-E0A5-6152-C2A1-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:13.889{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8D9060E5B8CED15F0D4285D9B0CFC8,SHA256=69607D1A519977D049B2407B5C2B61E31E5A73B679E9A78125A74A924D88F3FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:13.390{5EBD8912-E0A5-6152-D428-00000000FD01}53886548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:13.221{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E0A5-6152-D428-00000000FD01}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:13.206{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-E0A5-6152-D428-00000000FD01}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:13.206{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:13.206{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:13.206{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:13.206{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:13.206{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E0A5-6152-D428-00000000FD01}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:13.208{5EBD8912-E0A5-6152-D428-00000000FD01}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001387933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:12.110{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-30502-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:12.085{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-30299-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:11.791{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-18171-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:11.592{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-39954-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.989{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2027898BBDE2FBEB7ADCD978D8200397,SHA256=45D17B6C0A16F28E713F78F865BE7A0A81A103D5A130F4A1D2AA4E0BC2AF9A56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.958{69CF5F33-E0A6-6152-C4A1-00000000FD01}30243148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.755{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E0A6-6152-C4A1-00000000FD01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.755{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-E0A6-6152-C4A1-00000000FD01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.755{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.755{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.755{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.755{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E0A6-6152-C4A1-00000000FD01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.755{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.755{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.755{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.755{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.755{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.739{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.740{69CF5F33-E0A6-6152-C4A1-00000000FD01}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:14.904{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4CF0B7FB163FF17B3D0C67D90BAF98,SHA256=713398D5A73D359DDF3D4BC4D80E61EE9F651551E794ACC89E9BF1C092DF3ECC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.067{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E0A6-6152-C3A1-00000000FD01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.067{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.067{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.067{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.067{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.067{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.067{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.067{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.067{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.067{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.067{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-E0A6-6152-C3A1-00000000FD01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.067{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E0A6-6152-C3A1-00000000FD01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:14.053{69CF5F33-E0A6-6152-C3A1-00000000FD01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001387947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:12.859{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22394-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:12.706{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-45835-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:12.298{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-31347-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:14.005{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21BBA7A1DD850BE1E34998743E89B6FF,SHA256=B7833981C3C325F7D710DEDFBB77337984A54DB5A427F458C5B179C96E3BFEA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:15.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C05385FFECB8113B1F4BEFB6252B417,SHA256=5D33D3B62A794A1D14E902B7F4E9E83BDBE700EB98B1FFEECAC7DC27E9429E86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:15.918{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB904FD56B78B574318ACABBA981689,SHA256=5653802D6D7BF3F023270F1628B2178411411391BB45DD1F0654C3AA2E6282D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:11.466{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61833-false10.0.1.12-8000- 23542300x80000000000000001294583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:15.052{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56A4C528AC8BBDA289403513DF124294,SHA256=5B39B1D1298D98F4FC3A1A877B855A7942FC132924291F64BDA4CB66ACE0E081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:15.086{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB3127A00407BF51F15E0A28CD99841F,SHA256=3743E04589DBACA0605EE6ACF1E7452AE2B51BF07EF88749CE78060291D09482,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:13.498{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-37613-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:13.217{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-36050-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:13.210{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59142-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001387975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.965{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881178A007715D7C557127D4BCA69781,SHA256=3027ACA93360FE689E31A897B64AD06D3713DCCCE70CEF6ED6BCAE0150513986,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.718{5EBD8912-E0A8-6152-D528-00000000FD01}69526408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.634{5EBD8912-8D2A-6151-9600-00000000FD01}46324848C:\Windows\Explorer.EXE{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8023FC5D8A8)|UNKNOWN(FFFF81461C6A5B48)|UNKNOWN(FFFF81461C6A5CC7)|UNKNOWN(FFFF81461C6A0351)|UNKNOWN(FFFF81461C6A1D1A)|UNKNOWN(FFFF81461C69FFD6)|UNKNOWN(FFFFF8023F975103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001387972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.634{5EBD8912-8D2A-6151-9600-00000000FD01}46324848C:\Windows\Explorer.EXE{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8023FC5D8A8)|UNKNOWN(FFFF81461C6A5B48)|UNKNOWN(FFFF81461C6A5CC7)|UNKNOWN(FFFF81461C6A0351)|UNKNOWN(FFFF81461C6A1D1A)|UNKNOWN(FFFF81461C69FFD6)|UNKNOWN(FFFFF8023F975103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001387971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.634{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF530541f.TMPMD5=A9508FBC501F466EB2990AF216D34930,SHA256=84E77703DD96BF2C33DD32AB056EB63EDA914AD92C4425502473931E11B1ECB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.534{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E0A8-6152-D528-00000000FD01}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.534{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.534{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.534{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.534{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.534{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-E0A8-6152-D528-00000000FD01}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.534{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E0A8-6152-D528-00000000FD01}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.535{5EBD8912-E0A8-6152-D528-00000000FD01}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001387962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.150{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A8E17106720FEA140DE3B0E660DD386,SHA256=5A1277A0D767C5EB803D93A032F72B2977321080E1C9D05C939B93455906DAA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:15.703{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-48931-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:15.653{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-48414-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:15.045{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-57255-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:15.029{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-31048-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:14.592{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-43223-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:14.442{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-42347-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:13.943{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-26742-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:13.908{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-51587-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:17.985{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D53A95D896BD3CD86ABDFEA34DBB44E,SHA256=EC0C8EFD35050E5595D4B9323F662510FE5185F413AC7B8F347254B9F967F8EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:17.067{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B64197238D0D3E0EE5FEAFF14F91A8C4,SHA256=46E7FFA1FE6E8CAC1188A288022DA0BBC3BE9CDD4CCD321E2E30ECEBCC44DDE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:17.402{5EBD8912-E0A9-6152-D628-00000000FD01}57281224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001387986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:17.333{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBADAACA365CB0D24E5C4743478B14C4,SHA256=A2274787C1AE1AF126AF4C241D247B3F585D304B1FE9A315DDC5D41CAFC132A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001387985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:17.217{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E0A9-6152-D628-00000000FD01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:17.217{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:17.217{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:17.217{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:17.217{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001387980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:17.217{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-E0A9-6152-D628-00000000FD01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001387979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:17.217{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E0A9-6152-D628-00000000FD01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001387978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:17.218{5EBD8912-E0A9-6152-D628-00000000FD01}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001387977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.255{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-4449-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.101{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-35247-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:18.099{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE80CBD2DB2B6EB397C68DDB9A5B8999,SHA256=1BAE07E463FC0706F9F0B8A766BFFBAB6ADD70D529CD45ADA194247064FCD82E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001387994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.483{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86BE0CD07F4773585AE77AB09FA39392,SHA256=8A31010E94B0B5002CF579D19141CC320C10FC00E6B066E4E222EB8ADD6518EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001387993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:17.457{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse23.88.33.85static.85.33.88.23.clients.your-server.de55319-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:17.350{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10141-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:17.283{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-39847-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.953{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-55320-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:16.938{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-55163-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001388062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.947{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E0AB-6152-D728-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.947{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.947{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.947{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.947{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.947{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E0AB-6152-D728-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.947{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E0AB-6152-D728-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.948{5EBD8912-E0AB-6152-D728-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001388054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.532{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1871820C1C228A36BFAC39653B54C74,SHA256=636BCBAAF9BD6154587FE256ED7CCAC63A48CE0C6C3FEB33EBB29BCC570D585E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.897{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-46174-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.897{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-6596-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.873{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-6475-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.865{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-46092-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.851{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-6353-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.846{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-45957-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.827{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-6221-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.827{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-45845-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.808{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-45697-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.804{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-6092-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.781{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5909-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.778{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-45631-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.754{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-45601-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.743{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5687-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.735{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-45590-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.711{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-45492-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.711{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5604-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.679{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-45406-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.674{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5447-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.660{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-45270-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.637{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5259-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.626{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-45065-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.598{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5105-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.593{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-44912-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.573{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-44794-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.563{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-4957-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.555{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-44702-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.540{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-4802-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.526{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-44665-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.519{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-15777-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.514{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-4573-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.489{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-44596-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.487{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-4527-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.478{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-15727-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.465{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-44554-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.462{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-4352-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.447{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-44468-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.428{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-44387-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.424{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-4164-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.405{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-44314-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.387{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-44237-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.386{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-4041-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.382{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3686-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.367{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-44043-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.361{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3721-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.306{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3322-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.290{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3541-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.267{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3336-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.235{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3100-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.232{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3156-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.207{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-2987-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.194{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-2805-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.174{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-2655-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.150{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-2486-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.140{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-2442-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.081{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-2263-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.074{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-2293-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001387996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.043{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-2121-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001387995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.002{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA31527D721E0B743E3EB35F09AE601,SHA256=AD28699BD8285381034DDCCCF5991AF2DE850DFB678E7D5353304E538F7820EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:19.103{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603EB35B9282EEA1D7E434804B7186B3,SHA256=F3E1139CD6876AE476940EFE1C81300A5CA20DDDEE4A23C4EE2E8E18CD878CB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:17.440{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61834-false10.0.1.12-8000- 23542300x80000000000000001294589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:20.103{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C5545BF8CB7035AFA9C60D2CCA090E,SHA256=9E829F73100D81F6B153D16CE45C5B665F2E9AC007477F1B6D556C2F18373236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.648{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=385AF4828440AE4318074139FD0C3D4F,SHA256=A584C67F23FEE1E324F28AFD6010A96C47A0D16364F61A476E930C380510C36A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.433{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F52995F65A72AB82499591F9006D555A,SHA256=C473F5A51877C1CC6DFA8168488ABA19227B71679F481CB79C0D38A1B79F70B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.754{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-10824-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.711{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-10729-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.686{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-10584-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.649{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-10451-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.626{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-10258-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.589{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-10144-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.566{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-9934-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.528{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-9795-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.505{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-9662-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.474{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-48502-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.441{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-48345-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.406{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-48265-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.387{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-48188-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.367{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-48061-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.334{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47988-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.313{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47929-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.294{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47848-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.274{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47761-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.255{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47682-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.236{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47592-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.235{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001388071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.218{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47428-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.183{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47359-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.164{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47270-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.144{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47192-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.126{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47053-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.094{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-46977-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.075{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-46840-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.042{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-46700-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:18.964{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-46311-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:21.982{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3377E97E9BA66A15C3DA2CDA351EDF0,SHA256=812D9F89CB5770D9662A1EF17D014AF813171E78A69085AE329BA8317E523CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:21.401{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBDEFAE8771DE0CB7D403DCAAFF7A4D,SHA256=FB7A79E7C25B87413F8A93ACA658C6A0C40DFAE54EE581A1515F75AFC74DCEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:21.119{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79030ABE96782B8184008F314BBC57DF,SHA256=2ACC3C0A2BBA89B1F7A8D008E788DDC9C4C7D7749A917C3A2A91C5E940F3D5E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.709{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-53312-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.690{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-53234-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.672{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-53108-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.638{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-53029-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.618{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-52896-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.584{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-52687-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.577{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14952-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.515{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14911-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.491{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14806-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.467{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14689-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.443{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14485-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.404{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14342-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.381{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14221-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.357{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14086-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.333{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-13933-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.298{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-13811-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.275{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-13699-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.251{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-13607-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.228{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-13385-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.198{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12845-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.048{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12644-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:20.024{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12508-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.995{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12268-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.955{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12131-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.932{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11966-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.905{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11715-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.870{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11587-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.833{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11472-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.808{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11337-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:19.785{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11114-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:22.401{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FD5E0CB3B14214532ABCCDF43E5922,SHA256=6D4A29576987EF814E6D245D3F0366FCAAF2212FE04E5279E7941CC651A334F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:22.544{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5730MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:22.214{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E0AE-6152-C5A1-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:22.214{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:22.214{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-E0AE-6152-C5A1-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:22.214{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E0AE-6152-C5A1-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:22.199{69CF5F33-E0AE-6152-C5A1-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:22.120{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE34280BE25E8EF90B26BABCF1FBBA16,SHA256=F97A2DD9EEC2B65580EE53253AD14CA2F56C6F435CC021C55AD4B7DC702924A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:21.711{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-20832-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:21.673{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-20718-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:23.435{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F1D5432F429194CE38DD23D95AEF202,SHA256=1F8B361257560256C7805D1C94CC9CDF85355D09A74D9F35131BC130578EFE49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:23.403{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E27956C06F448FA73846255AB6ECF5FF,SHA256=824F66ED562ADC7225FB1E995947CEBC35908F7195D67F7524BD8EC976F85F90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:23.558{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5731MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:23.228{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23DB379C3E3D3E8A1F0C25AFABE46B1F,SHA256=6731B28A5A29EAC86522D0CD340843A63D035BCBAC66859C7A28CA6ED51A43EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:23.228{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=809AC02610ABE1208BDE83FE5F3E3173,SHA256=498B9972515901EF60F79326E851DC69A49ADBF73F97DAF4ED87A5FD9020DD17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:23.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4BA48E143D0A42F9E86FFFFB2D9731,SHA256=002B2323726EF6D0C3B44AE52885514913B603DC02D5352B6889555B5A01F788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:24.136{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA4B2DEC9F866931A357F27F4058279E,SHA256=79E8BE265DB7DF41E1CC0302732FA612D519386A835CE2DB21AF4FB6F37EB4A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:24.519{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4E9CEA7EB08F18B849235FAE20AEF42,SHA256=E7E15478C0C0ACC7F3AA88A411DE43CEE740D82950B08405C6F6D90E66A63E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:24.419{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97FEA2C86DBDE57E5E18190F03D1FF0,SHA256=8D1A6E055057E740911188E030D42FAF0AC060DC323D7AC223C81194572F52A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:25.739{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD11581D4FA0B0244C5E38CDEFE1D55A,SHA256=7ED1359A8D9B482B4C853E116CE6B79256C66EA9954C0DB350518D7761BF4DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:25.739{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1413MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:25.433{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A7ABF6385AD7BF12649F75D214788B,SHA256=2AED21002CACA647269BB912379CE343A163A41A28A9235A7761AF4AF2AB895C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:22.566{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61835-false10.0.1.12-8000- 23542300x80000000000000001294612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:25.136{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D5412F31ACB651352948C4D98DE0030,SHA256=3876854A40BA26621CEE1B3CBBE8801019CE9E8A50BBAE867E6BA8733D48EB53,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:23.245{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-28142-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:26.902{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B631D7CAE40B624C641A1913A0EA3E15,SHA256=8BF99FD051F8C79E1F441D5BEB262588EE27B3C6C69992A3DE43FE2972D2808B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:26.749{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1414MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:26.449{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB5BC166A0EB694FDCA9B850765C157,SHA256=7164181252BBD9B03998BCE7136F7EE3D48636BDAFC1798EF824FC4BEC11A153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:26.151{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CE653FDFA9A092A8D711AF0340213C,SHA256=642CB76966C4E4F0E42732494908BF243C62D6A7B2244BBF2B26074F28A83D37,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:25.624{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-40318-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:25.184{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001388138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:24.458{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-34261-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:27.449{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18399FC9AEFD6F62676FFEF5283E04DD,SHA256=6AFF939A1813DBD37A52DA35E822A0DEDE1535D6BE44EE1A3A487C11FB4F46F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:27.167{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDECF83F98231E1248BDDE927BB7BCBD,SHA256=AD01E9C2B366425DBE4FE5AC539B1422F8A24B2B01DF71A3A3441499F48ADF15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:26.830{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-46668-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:28.532{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F40368D701C71D96EAA7A0940021DF,SHA256=289ABC78897961BE3E3A4D70A65CC1F724FEBECE731B7BE725E5234EC3DAF335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:28.183{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA971C8686A430E6F61B92C24E62D38,SHA256=BF40EF4C8D9C224B4B265C23707B983B0272A9241B96641B764FBE1475B56F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:28.064{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B70C91B4F3C5C677E6034075E8891E82,SHA256=BF6ACAB02043288ADF1DEB672E473CA3C851BA63855500821790691B50A65B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:29.230{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C8CA68BEF50CAC6B94BBC4178FD1C8,SHA256=417768692E82CA5AAF93E86F0178F761FDC66AD2FC47DA936C6674CD734D9BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:29.548{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905990C151961B4AA0804E8BA2BC432F,SHA256=5CE7EAB3F6A18CAD1571015133C65C0291BEBA17CA1A383619F7B0D2B04F3BF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:27.973{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-52609-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:29.148{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69FB19B64F49C526A13559FDEB2555A8,SHA256=659B8CBAD25E738CCB8B7278B1784E27711692B4EA86E348B2FA163E0A12B7C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:30.464{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD9067B6E2E0F12D5346B4AFBD7FDE0D,SHA256=8D213B9598A3170513B0AF3B2D23FA5F05FE33B13A74F6098B3F30EF41590534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:30.563{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50880C8FCCDB3F7003CC2E9FCBCCE20,SHA256=702328D1C21F1DB8EB60041BF465C65D2C0173BC0EC0A840946B7FC4217DE93A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:30.232{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EC6D304E0E545FDA4B4B0B706BE2450,SHA256=E1C82FC9106FA85011256D2E2E95E70BBB17D497DAC6075F08383199DBE780F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:29.089{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-58206-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:31.698{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C84E3827E7CDFF105EEE0772337B04C,SHA256=98F74F664A2A619F4280678BD48CDAFEE478B74BF0C92E3823EBF1F0F0296745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.585{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8302A91A9AB2509BC04BF1366D1C9F,SHA256=66D09C9A59FA81AF36DA3E479CE1410FFDFF9EB69C1F920C328343BA7EAFD906,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.010{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-19860-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:30.987{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-19659-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:30.952{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-19495-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:30.918{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-19401-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:30.895{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-19272-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:30.872{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-19166-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:30.849{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-19062-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:30.826{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-18915-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:30.792{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-18721-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:30.754{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-18581-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:30.731{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-18363-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:30.692{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-18079-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:30.176{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-4932-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:29.538{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-12085-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:32.855{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8913EF3E0EAA3460BAA7368E9FBC91,SHA256=D62A718C2F0561FEF317C0E85B16CB3B42D1F2C3432CD94EA5D09091979CD5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:32.899{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51A9C9DB15D68571A4C620955401896,SHA256=1B942B8EF6753FA3A223755318ABB1A8FDD26A27E86DB94DF81D96FE8864BF65,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:28.535{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61836-false10.0.1.12-8000- 354300x80000000000000001388202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.734{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12599-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.717{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22801-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.695{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12493-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.657{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12443-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.654{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22619-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.633{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12251-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.610{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12188-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.588{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12022-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.574{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22514-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.548{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11874-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.527{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22376-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.498{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11671-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.497{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22270-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.473{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22035-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.450{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21926-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.412{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21873-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.368{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21707-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.364{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11163-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.341{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-11019-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.333{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21531-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.318{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-10905-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.299{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21429-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.294{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-10743-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.276{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21343-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.266{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-10533-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.253{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21238-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.231{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-21128-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.209{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20992-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.204{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001388173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.186{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20778-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.149{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20654-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.127{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20431-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.089{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20219-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:31.050{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-20002-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001294622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:33.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9314E2A5DFF3D0DD54195594B0DBF7,SHA256=BAE5B4311E9DA846DDB0D90C7BABB7554D4553C424D1B70B1A92F758E80AC5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:33.979{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1C5DC442A6FCE53534F8BE83CED0BE,SHA256=1FA00957F07127702008D6F67FB131D71AEE296B6137057C03BDAAC13890A43E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:34.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65419861B1D1B4A196C4B638937F33C5,SHA256=42EC8A9ECE7C2A7607341B4BD70E4CBCDEBDB3EF190CE0454D29B417C771231B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:34.997{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B8D0CB94303CBD1BD5022407B86E35,SHA256=0641A4EFE101FF857DCB6F404AB05BF534995A0DFCF35EE5386E4CCBD1805D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:35.901{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C6AFF1EC6CF2D5B593354B610C5476,SHA256=A2D5F360FF0B590D634B87B146B2549776ED234BB63341E303B773EAE5421033,IMPHASH=00000000000000000000000000000000falsetrue 14241400x80000000000000001388206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeyRenameKey2021-09-28 09:30:35.880{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\New Key #1HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{052860C8-3E53-3D0B-9332-48A8B4971353} 23542300x80000000000000001294625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:36.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E85673CC2FED97ADE6433F61A83214,SHA256=EF9AA7D56BF3403ED4111CEF952502971AF958C61E1ACBC8AD689915FBF31008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:36.011{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35797BEF10B132D00B4B44469EDCCD88,SHA256=065ADE356D996144EF2E8147FF7FC6633309C2F30D0E7ADADD7BA517CB37FEBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:34.394{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61837-false10.0.1.12-8000- 354300x80000000000000001388209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:37.199{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:37.042{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C22BA0C80DE13DC7502F68D4A22FD6,SHA256=04D6E18A1F8C68E10B1EDB2A9842D90F3659AF67356F0109EE6AE006EB64B9A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:38.136{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412F539BEC19CB297F09E2D41D281AE0,SHA256=B5765888816F249B7FAED4DF1F088F94D71258E124D3161581F263929E93A8BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:38.075{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC013ED8AA0847903FDE13E4F77F4D5,SHA256=BE32BB3FB785CE18DBE7E108DE5556F2C3C27754B0F0149D90C3E4401F4B65E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:39.231{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF229513577C5E728D4C63235DB02A88,SHA256=59DB37B07569AA79555BEDFE477318C211FA58E4F426BDF3CEA857F4930E3A28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:39.093{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A29056157C4F5EE93398C07C8952B79,SHA256=EC1EC4A27B7D92182FBA3D08B67F7DCC27D2E8A955DE90FB0EF8D1A98DA7F23D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:40.231{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B911F2C7BB58D920763D05F6A81352C9,SHA256=CAF5EC5F2D72A2C6232C960C44EB607BC09D62C1551B3391D38721F320F8022C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:40.095{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2902DA538068C4B5CC9244E11E1F4A55,SHA256=D158FA415CC11CBB45C8B81E32745EB420A2F1E7C347157917168C4937BFFFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:41.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A1623FBE41945EFEC7C42C95817E1D,SHA256=A4FDA7D79C80D0B1BF451EE6919AFCD412A544B55CDDCE836EE3C40B17A58127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:41.125{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBCF74616CFF47C0EEC8C771683602AE,SHA256=2587970B61449DF04437CC4335009F28368E6A5B07A1F1269A20F7F0FC684B56,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:39.411{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61838-false10.0.1.12-8000- 23542300x80000000000000001294631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:42.340{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227398578D7B5125CBD9304E354ED11F,SHA256=2EB0C3B039092A3C1192FE8326D16E78302AEE6F35867CBC44C96B3C46FFC226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:42.139{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4B3F53FADAB7F930FB25E199135337,SHA256=7CB2BF6D9336F72481D2B911EE4BA1520043A1D604C5912201755C4347B5816C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:43.341{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1170C9F9974087902F91514DB8E670E7,SHA256=76270D486E78D8056F331F91FAF1E8F40AA4AE21A55B90A568EA76B10B8FF24F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:43.176{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59147-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001388219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:43.175{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59148-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001388218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:43.175{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59148-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001388217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:43.192{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=114E6F0FF49B823A6394C3E4427772C5,SHA256=A1DC09AE4005B86D8BB114EC3ECF73F791361580CFF0EEDCF800AAA17149D0E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:43.192{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3EF9312F2009A114605DA2736D50C8D,SHA256=9A17F687D2202B98F8949E75402364E04AECFBE8F7C002397DB8DDE5AAB78004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:43.154{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D8F38FD6D9E8681F69A121DB1D05F4,SHA256=7EE7128886DFF0CA31E293A7EFA87C31D6C67A3D0EF107979F70E0BFC98A8D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:44.419{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E47B6D67C23ADBEAF4881C0F64BB8C7B,SHA256=6658919958BC0055AF0BAEAE5C50DD833F0D9C2D4A253A9581F7ABAF6BEF69B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:44.356{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9508D5D287BCD156F525AC5062F9B892,SHA256=51C9046EDEC3DAF0BC89EC842992264048075AA71207AAF15914F1924CD1DB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:44.172{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2D5A87EF5F4B9E479900AF5BA8216D,SHA256=E00218C6AA3E84D19BA62B41542EDA057A5D95338596AC03CA79DEA0FFEEDB12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:45.356{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53FF15680038C56811309C0C119FD1F,SHA256=77BC816757F3C8F9AAD686C667873564C84D85497B14E85D9A9791DA9F5258AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:45.190{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9EA40AFBB92D22BADA9B22F3FF9ED2,SHA256=895B2BDB6410F8C053EFDE7D31F406282A03514489BA5661DA25EF2BAAE8F37E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:46.372{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5F5EB1C1EDF7E9F8B60C5DB74E09B3,SHA256=212BBD118D4A447253BDDF70F9502B8F70E07DE0FBF1F07165DEA633B8E0DDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:46.270{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A14FFFB7D67BE4C9AF547BAA94EA88,SHA256=0AAEE3D296DD93C83E8E468EBD4540C34E4BA867E83CEA31B31BC05DC21B214C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:47.972{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:47.288{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E31EDCAA2A7FDA3142A15CE0CA2CF40,SHA256=4AB00AA0C644D3643B4C253C5DAEBDEF6C8BC19673CFEB844832583F0C235E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:47.450{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:47.372{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E8E0DB6B232B4805514B522EFC2D79,SHA256=AF48D2228A785BAE1549BCC8D9BBE44617EA7F786C3FEA64D3E460748EE660A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:48.303{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E94D1A789E36D1BC9E017CC1F8207F0,SHA256=636F8D8D21C511C8444D73A49367BC2A66AD2EE95D2C315481608F6B8E9BE0E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:45.458{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61839-false10.0.1.12-8000- 23542300x80000000000000001294640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:48.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E263828A71324984D8D12A04E376FD60,SHA256=6C06A1F95BF9EDF6EB0572ACAAAC9EC968757CE655B238FDFB9578CC3E4FB534,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:48.971{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59149-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001388227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:49.349{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16C059270D740841F8800E8D449BC1E,SHA256=69B4B586EACC660E1D112C948B2C1F422BADD3A3A3C3A70193E3BCE3EDE8E05C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:45.786{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61840-false10.0.1.12-8089- 23542300x80000000000000001294642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:49.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF640655DCE5CE668764A6209D60B34A,SHA256=BFE598694C6954686CBA75FE76B8B496904E629D2C0B69F64494006AF5678783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:50.403{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68423AC549E667390E98B5E547F75356,SHA256=ABA294450E2795C941F73417B9566CDAAA22546A2847F97E673C8B13662C7FC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:49.038{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59150-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:50.386{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D042D4457EBD84AD9F8833C61CE416,SHA256=5908E76634EA62A7A79CB98B12CF41F6A4C6F656169111168961E3817974E9E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:51.416{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FC8C1E7F36AC6FDC750481C4F9EBFA,SHA256=9FBFD21C3475D8B5186F99D6450C24856CE970C1E98AE3E49DF9D43D9E655DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:51.404{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAF4D56B26B59E9B3C5A59C285DFD30,SHA256=4F89E285F9C74A0A0B86497A7A152C4D7594191CF83588F7772E4C6FC2CC1BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:52.446{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F2F352575BA528353FE9CDD5E5AC7B,SHA256=832238AD557FE0D93796ACC4A3412F0FF360A71CF1FFB96B84524013F9657DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:52.418{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB18903B9A7B6D720CF86A479D7B26C1,SHA256=1A2129910B99EAE9EF64025B339FBAFF03B705A10B9F9837914E8EF1A0730749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:53.482{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2CE5567A5C8AA227FD96CD4FF6952B,SHA256=4B265C700815519E4C9CCD2BEB5EFD7E5A7822B3237E1CB741BFEE6D67F8A98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:53.434{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F685E9E8ADDDE2131A03FF28B01FDAC,SHA256=04FFD836931F3C012B6C36177C396FBB95BF5F9A363F62310E9D1BE1BCA4814B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:54.165{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59151-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:54.496{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477E8C5947CDE325BEEC089C8AA322C0,SHA256=843A8F006850002EF822FC536FB5A560E9B5B97E07E9203DB58635DFBF3577B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:51.442{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61841-false10.0.1.12-8000- 23542300x80000000000000001294648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:54.450{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8776BA5ACA1AD6F491A8777674F861,SHA256=26316D17F266EE1F380A01FCEC5122B4E16C68812C3F6E7C2642276B30EF5D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:55.511{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05105183F7553A971F4FACD37387B635,SHA256=F139BEE25FA4FC90CDB70F9B97482C4093C2DD44156413140B42EE1747AD2B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:55.465{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C833D4005FAFAC41C92F12416D11DAF6,SHA256=148F498711EC3D6B48E229EB7640FCA0A8C94D23C15E4BECBAB67ED03275C09A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:56.481{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8281D9EE886033687BBEBB6AF4746890,SHA256=B84EF99621D24A31842352A5A34CB720637B25A10C9C9CED0E55B4F1BA5645EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:56.526{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D114B3B980B913AD7C60DBCEE89B4A7,SHA256=C6AD9372C96426A9C57733E6BDEA3D05402300922FE2FB120FE1D438726F9ADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:57.497{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CEE8128C2ECC08AAC4926C61CDBE416,SHA256=EF03BB8E3410C2E73114CDBA3E0C9D6FAA406A2E44F79EFDA43BB3C5766C2866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:57.559{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82E2083F4EE580ABE1303A0455B2B8C5,SHA256=11B04E5D7367538B0FF54A3F5EF740ACC173A1887F51CC8D9DD581EF9DC1DB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:58.503{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4FCE2F28529732E56EC80E5B267496,SHA256=44C8C0E55550A419B9E8DFF9E329A628229879EE89D1E487F18E4F231304DEC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:58.577{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98816366E87A21CF120F64CB9E10AC94,SHA256=1B7C1D3C43CF2FC25242A137C763C29AAF45025FCF10FCA4BEDFC9731C784EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:59.518{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C6728E1B7CA0A479457DD4F752033C,SHA256=17930D19916CC85FF1C165FA264D107E6C555B656A90BE4FFA989020BBCEFEA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:30:59.623{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3762679626B00BE8E87D3AF0A7E5AA7D,SHA256=2A6C53CC086C2D5ACDE55CFFA1C982EE787B003232AB0A06DFF9E6B92449A45C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:00.081{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:00.639{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6025D6BAE519D87910571F7CC8087F4,SHA256=9C9CDBFA7E59AC1048AAC6B425C0B9AA56E2581817830A3FF883C6DDF1BDDCFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:00.534{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5154AC74DB744122E885697F30BEB730,SHA256=DD37C2E8B19B3C3054EC4ED4CF3BE31A05208F9CC3618DAEE368443D742D620D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:01.534{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F795B2B49D4520AB0114B878B3FE96,SHA256=093D249B6FD238D81C774D4AD6791FEC2E5C271C45FB108059FEE3F0625A96CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.790{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001388243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:01.656{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4EA7B4610B8FC68A0DB9A73BF54380,SHA256=699E9B97D944C2000B9C787EE0B3A28982DE5629CE13E8ACB6F69742351FE372,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:30:57.417{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61842-false10.0.1.12-8000- 23542300x80000000000000001294658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:02.550{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6674D673CCC538891A3458CA30C560E3,SHA256=9B47F1BCBA2165D5B9D2A697F7BF7D90738C62F07415B1E3FF944D1252083D31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:02.754{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C787DFAD0887A873082DC9BF9BCE35,SHA256=13865BB084D8A775BC25AA7CB1590FC9CC864174405802EC300FF449D4792597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:03.550{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4872B08188571D71A422DE73A1D12D5,SHA256=F8D49F9B711307EE7A1B50E469DD87A6BB6FCD92F0357E6BDBD5FDA3C43A636A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:03.821{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8498BCFC24FB52E6E26E3AD9E742A8F,SHA256=8D6461D96714FA2E7345711CB6509F00FCDB46A4FAB7BB8CDAE235F12A1D9376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:04.873{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54EF14CCD33D86258288B9DD8E81A7E8,SHA256=4A3271117B987D462BE36BE79FA547C0793820CBD9CB635CC99AE29A9301B0B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:04.565{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97714F24EBD0B40F56E96DCC00F1ECB9,SHA256=AC0C5C4522DB65B0A91FBAA646EC7AB20B26F7ABC79C5B8DCEC7CFD605439868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:05.889{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBFDE6B4B8F913BBBAFE1D10A3CE4FB5,SHA256=552644F1BC3789495BC2B621E3236FD6DF6789A6B611EA6C6E5B05B172BDAC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:05.581{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB2809D353E0B59EF7AC224BD80417F,SHA256=C3D70461A5366A54082F7DE52C54561AA5243633D1CCFA64930931845F1F45F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:06.093{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:06.903{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D21B279AFC30EB5128A6D68DB2723F,SHA256=A6BC431F13906F1202E1482B406F0C7A921EC831F2CE3286A95DDA74A9E53D8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:03.401{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61843-false10.0.1.12-8000- 23542300x80000000000000001294662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:06.581{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFEE38B471B839AF9321668BFA7F6EC,SHA256=8518B7DA87AEBF7D097562C7BEE6CA063C4C547F82871B6C7606DC09A1B2D3DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:07.918{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3539B3D8445CA257BFA921B20435D8,SHA256=43143D63A6D2F5B0078284A3BB69D29E504A81117E55D943F876EC787F761BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:07.596{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7FDC07289DA539E5872647FD4A299D,SHA256=26ED3F4F0B41B59C3D498B71AF229637AE0C499C8E3686A027CDD88E7025EAE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:08.933{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79E247B66922ABAD01D4B3A49C5F8CB,SHA256=3365EABAD5991EEB3D41DCF950DD39EBB4977B750C2DD902EFEDEB25CBE63ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:08.597{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AAF0DBACBA7A742EE66F1CE17E9EED3,SHA256=BC722FA8C64FB3510662DF898DAAE599B727B2A18F1D14A9DEF2F87904501A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:09.950{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=908764E48BB0D1A5117817A50C7F7004,SHA256=465A4FDE6BEDA0D97B613C100D4D6D6368E90BBF7651025FE15A9F2DE427C84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:09.612{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9191BC7117D07D7A1CF227778A142F89,SHA256=B835A14D902A239EAC3D5EDBADEC2EAE40E267818CC7E5AD54ED4184125CB6AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.968{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68374B05B122DC5E2AECF92E1699B54,SHA256=8C97A4D071BD0CD662FC48319B37BD38A0E84202D20383F726A16E076C762E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:10.628{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3366E735E065CB9EFA6B93A657DF64CB,SHA256=C4F6D68AAE2C450D548E0097E7371CC5A7294AC90580142B8D02F3B2D266A5E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.948{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EB8BFD749CF31E82F70730E4DA9D8821,SHA256=E81A91C9A3FE4D943D585D887FD0C7063350B3D225C2C92A458221693E6F6398,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.868{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E0DE-6152-D928-00000000FD01}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.868{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E0DE-6152-D928-00000000FD01}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.868{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.868{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.868{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.868{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.868{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E0DE-6152-D928-00000000FD01}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.869{5EBD8912-E0DE-6152-D928-00000000FD01}6148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001388298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.169{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E0DE-6152-D828-00000000FD01}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.169{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.169{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.169{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.169{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.169{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E0DE-6152-D828-00000000FD01}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.169{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E0DE-6152-D828-00000000FD01}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:10.170{5EBD8912-E0DE-6152-D828-00000000FD01}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001388312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:11.983{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB12100680DC63F6A559E0DAC83A4EA6,SHA256=EEB45D31888CAA03269E57496E0C4A666FDBA30C55D1FEFF8FBA942656DBCB48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.940{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E0DF-6152-C7A1-00000000FD01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.940{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.940{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.940{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.940{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.940{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.940{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.940{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.940{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.940{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.940{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-E0DF-6152-C7A1-00000000FD01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.940{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E0DF-6152-C7A1-00000000FD01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.925{69CF5F33-E0DF-6152-C7A1-00000000FD01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001294682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.820{69CF5F33-E0DF-6152-C6A1-00000000FD01}26083384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001294681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.630{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5107B59775475030DDA9FA995AB0C314,SHA256=80EAED3AC16F3475B38E774F7CF7BA468A527F068A565BA0F0D20FE6ED671442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:11.200{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61B389E5A56318BC75A8ADDBB344CF5C,SHA256=B67757573F5288D306DE99689018ACE67A9138B5F48644DCD8D03550C7359D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:11.200{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=114E6F0FF49B823A6394C3E4427772C5,SHA256=A1DC09AE4005B86D8BB114EC3ECF73F791361580CFF0EEDCF800AAA17149D0E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:11.032{5EBD8912-E0DE-6152-D928-00000000FD01}6148712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.315{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E0DF-6152-C6A1-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.315{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.315{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.315{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.315{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.315{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.315{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.315{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.315{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.315{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-E0DF-6152-C6A1-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.315{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.315{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E0DF-6152-C6A1-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:11.300{69CF5F33-E0DF-6152-C6A1-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:12.768{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7882FFD78E80ACF42053B6D7EE6DA514,SHA256=882468611C3C318D18650776EA6EC37209DF213F2A8E512D5CDB7DBC2E8C8831,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:12.814{5EBD8912-E0E0-6152-DA28-00000000FD01}57525428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:12.651{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E0E0-6152-DA28-00000000FD01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:12.651{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:12.651{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:12.651{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:12.651{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:12.651{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-E0E0-6152-DA28-00000000FD01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:12.651{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E0E0-6152-DA28-00000000FD01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:12.646{5EBD8912-E0E0-6152-DA28-00000000FD01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001294712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:12.628{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E0E0-6152-C8A1-00000000FD01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:12.628{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:12.628{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:12.628{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:12.628{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:12.628{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:12.628{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:12.628{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:12.628{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:12.628{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:12.628{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-E0E0-6152-C8A1-00000000FD01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:12.628{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E0E0-6152-C8A1-00000000FD01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:12.613{69CF5F33-E0E0-6152-C8A1-00000000FD01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:12.362{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BD00E487F2939A67219B1C05062EDDC,SHA256=D2C082F3925BB9F0E9DCB737B180F3819E11E1D9B0AC961896453B8A22B0884A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:12.362{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23DB379C3E3D3E8A1F0C25AFABE46B1F,SHA256=6731B28A5A29EAC86522D0CD340843A63D035BCBAC66859C7A28CA6ED51A43EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:12.221{69CF5F33-E0DF-6152-C7A1-00000000FD01}20322892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001294696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:08.417{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61844-false10.0.1.12-8000- 23542300x80000000000000001294742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.940{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638F27CD1509E868D9ADE05F13B62907,SHA256=EB3B61E6435DB4A1DDA8E9F6720399CB1C1F19488F6747A8A26EF8E7645A0BBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.924{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E0E1-6152-CAA1-00000000FD01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.924{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.924{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.924{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.924{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.924{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.924{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.924{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.924{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.924{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-E0E1-6152-CAA1-00000000FD01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.924{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.924{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E0E1-6152-CAA1-00000000FD01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.910{69CF5F33-E0E1-6152-CAA1-00000000FD01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001388339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:13.657{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61B389E5A56318BC75A8ADDBB344CF5C,SHA256=B67757573F5288D306DE99689018ACE67A9138B5F48644DCD8D03550C7359D9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:13.555{5EBD8912-8D2A-6151-9600-00000000FD01}46326468C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:13.555{5EBD8912-8D2A-6151-9600-00000000FD01}46326468C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:13.555{5EBD8912-8D2A-6151-9600-00000000FD01}46326468C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:13.529{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:13.528{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:13.528{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:13.528{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:13.313{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E0E1-6152-DB28-00000000FD01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:13.313{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:13.313{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:13.313{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:13.313{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:13.313{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E0E1-6152-DB28-00000000FD01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:13.313{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E0E1-6152-DB28-00000000FD01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:13.314{5EBD8912-E0E1-6152-DB28-00000000FD01}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001388323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:12.120{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59154-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:12.998{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6616DE3FD2481DA50DFB57919BDE45,SHA256=60C63B02047B5879D80BC5F27EBB384CC61135136A0619531B7DEA6ABE15417F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.784{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BD00E487F2939A67219B1C05062EDDC,SHA256=D2C082F3925BB9F0E9DCB737B180F3819E11E1D9B0AC961896453B8A22B0884A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.440{69CF5F33-E0E1-6152-C9A1-00000000FD01}33483636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.253{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E0E1-6152-C9A1-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.253{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.253{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.253{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.253{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.253{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.253{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.253{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.253{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.253{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.253{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-E0E1-6152-C9A1-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.253{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E0E1-6152-C9A1-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:13.238{69CF5F33-E0E1-6152-C9A1-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:14.940{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B93469FD593EAFFA6C180A569B095B10,SHA256=BE5DBDAFC9827C52D50350E6DCEC8A3CDD246296DA79AB2CFE61106202208BDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:14.846{69CF5F33-E0E2-6152-CBA1-00000000FD01}1456104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:14.612{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E0E2-6152-CBA1-00000000FD01}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:14.612{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:14.612{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:14.612{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:14.612{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:14.612{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:14.612{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:14.612{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:14.612{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:14.612{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:14.612{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-E0E2-6152-CBA1-00000000FD01}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:14.612{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E0E2-6152-CBA1-00000000FD01}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:14.597{69CF5F33-E0E2-6152-CBA1-00000000FD01}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001388340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:14.038{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9364A0A1DFE5ACB9C5B1CEB8AC963E2,SHA256=EA78561DEF1EF27D72ACB388A41788AB7574882D9D433DFDC3DE209C96EAAF16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:15.940{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232A1D5F3A66C96D698E9FC4D4D222BD,SHA256=B4604CCA5CDD5CB4A1E6231C594E26E998546A51B73CFE3EB7E41EC84ED3A616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:15.060{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF87E0198A943B4C951A4989128F19CB,SHA256=EF92A5A11ABBCFF240EEAB50F3AF58C3E4B05A494D449068ECDCE317101464BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:15.096{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D714BA5C04AABDCCFEE0BBF4162F81F0,SHA256=B520278026A5EE62D05935850A44C8B17C0603575C89E2EF413FF8C0C32B09A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:16.762{5EBD8912-E0E4-6152-DC28-00000000FD01}45881560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001388351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:16.623{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\aborted-session-pingMD5=CF5256089F2E3BBA3F0CA682394988A0,SHA256=54F27B817121B3A603131C1ABCE36DDE6BFCCD299F763DFADDBADE18C3AE7CFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:16.560{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E0E4-6152-DC28-00000000FD01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:16.560{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:16.560{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:16.560{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:16.560{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:16.560{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-E0E4-6152-DC28-00000000FD01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:16.560{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E0E4-6152-DC28-00000000FD01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:16.555{5EBD8912-E0E4-6152-DC28-00000000FD01}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001388342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:16.077{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D9C0A77F416EE37073485AD1D6E6B8,SHA256=B7DFC5A3A62303C54ED21281D56D9796ECFBE6DEF0CCE9E753CC79205945F4CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:14.385{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61845-false10.0.1.12-8000- 23542300x80000000000000001294760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:17.003{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66A69479AB1538FA496C9470B1EA39C,SHA256=EC3E608DBA2B76AD214CC23D45A206C8FF892C6962C215F80A681D418335035E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:17.576{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A6B1701AD71352E3CF482F8704D4389,SHA256=DC4B6F788DC0928D7534707889FE60546B10C5C297FA3629E7FE51504F7FDD76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:17.539{5EBD8912-E0E5-6152-DD28-00000000FD01}63205848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:17.257{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E0E5-6152-DD28-00000000FD01}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:17.239{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E0E5-6152-DD28-00000000FD01}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:17.239{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E0E5-6152-DD28-00000000FD01}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:17.239{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:17.239{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:17.239{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:17.239{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:17.240{5EBD8912-E0E5-6152-DD28-00000000FD01}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001388354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:17.092{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001388353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:17.077{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4DA70FF33D9C5B4288DAAFF5B97037,SHA256=A99D417AE4533661F20E200FEDB380A898C2A4646447294AD5BEE016CE50658D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:18.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD55C64568F2449B9CF8790ED2D579C,SHA256=1B59E57E45EE981E502693C250C72CCF5A25DCC306AB7D2843AC2AC1613978E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:17.992{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local59156-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001388368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:17.992{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59156-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001388367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:17.985{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59155-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001388366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:17.985{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59155-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001388365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:18.092{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB1AE060415D1F8567E531BFA04E1E5,SHA256=2A85B9D220FA4A1AF5EF0D39ABAB15CC0D2E96E4704E0FCE02050CB942ACE00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:19.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19455C934F274AFA455F412DBDD4B68C,SHA256=E6F17A580A0315AEF4A3B054682A8D5AED55737C88109D305CAC44DCF9C40021,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:19.975{5EBD8912-8D2A-6151-9600-00000000FD01}46326468C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001388383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-28 09:31:19.975{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\StubPath"C:\Temp\evil_spooler.dll" 10341000x80000000000000001388382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:19.975{5EBD8912-8D2A-6151-9600-00000000FD01}46326468C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:19.975{5EBD8912-8D2A-6151-9600-00000000FD01}46326468C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:19.960{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E0E7-6152-DE28-00000000FD01}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:19.960{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:19.960{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:19.960{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:19.960{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:19.960{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-E0E7-6152-DE28-00000000FD01}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:19.960{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E0E7-6152-DE28-00000000FD01}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:19.954{5EBD8912-E0E7-6152-DE28-00000000FD01}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001388372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:18.101{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59157-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001388371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:18.101{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59157-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001388370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:19.107{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D4D365399ED1FA4A29E07F2B69C5C1,SHA256=4472F3EF19DF4A0FF5B19966047EB5014AA94B20CD3F618B488A75A5DC0880EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:20.677{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A60ED772F2A459A51CC82D709866D9,SHA256=38D524B36AB1C1C1AABF4E55230CC5FC48C0DE114542EED0FA380CECBF1C8129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:20.975{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=281FA1168BF15AEEAD6E6994484DE520,SHA256=0E5F1AFBD0E07D22BCED8A87F612FAAAAE3B3C2811DB266A5124595685455B3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:18.144{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59158-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:20.122{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E566221A413437F3A72F7F0D3C81463,SHA256=3377885BD9B0F3FCF80EBAA0C075FA23024B2AF9149F34F9999D26FD86D7C1DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:21.693{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6400FF47174935743FFB0B6EB264546C,SHA256=D409D5428DC643520912295C8B04A3F500B07DF0F3515A5B9ECA1FF40804C4F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:21.137{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D943546D551CE292BBFB74CB327C8F4,SHA256=049A25BEBEABA7B977AD03F1C3F74E00040DDB0C90F82E1B80908BF5CB196EF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:19.404{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61846-false10.0.1.12-8000- 23542300x80000000000000001294779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:22.708{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E9A5641C1926DFE270009946BF1A5A3,SHA256=BCC4A85D196CA52905DF326E2DD083E307F7B5660DAF8F95D11B33349FBA18B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:22.154{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E7CD7B969C008A072F53176F4E68AF9,SHA256=3936EE75068768744D9A888306CFAF00F0880463CBA88B0606808707D28E4966,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:22.224{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E0EA-6152-CCA1-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:22.224{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:22.224{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:22.224{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:22.224{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:22.224{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:22.224{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:22.224{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:22.224{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:22.224{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:22.224{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-E0EA-6152-CCA1-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:22.224{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E0EA-6152-CCA1-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:22.209{69CF5F33-E0EA-6152-CCA1-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:23.712{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CE3B1CF9476F8FEA58ED348459A84C,SHA256=618B77718AD71111AB1FDC3BE96CEE6071306D70315C8C1DA65F9E9C3FE76C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:23.172{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646D8399765EECBDBB42872FB4B7CC07,SHA256=0DEF29257AB5A10CBAB94497F2EBEFBE896678C530EB177CD2F59A2EA90F72A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:23.240{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC4E8F789993100717BB82064FC41AD8,SHA256=E5621957379FA0BC8660B9A7845891D5C17859FC99A4762DE4561BF1C0D51C27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:23.240{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26ADA0B048E46EF2B1F0FBED29D03EEF,SHA256=CAD975EE9ECF94363480E480C31553F9533FA7842005FAF78D022CD9684A543D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:24.727{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A71F900C38887CB0AFC49587ADB076F1,SHA256=206E5200030FCE14A790E157EE8CAFA45B57F1F084FC2016E197296DE589AD4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:23.178{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:24.187{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794D734D13BD37D266F50EDC6AEA5453,SHA256=1BAAE703BBAF5C16445FC0C25377E3BF178EAFE24FE857FCE8C6B6B50BCE0C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:24.089{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5731MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:25.728{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9E4A5A123C4AB22540E0A4593184C9,SHA256=677A72C048CD1F021A6071AC93CD0D6494ABA753D69F79BCAC0D7B3B9429029D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:25.202{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4B03A10192F73ACF9C98646FA4EE68,SHA256=C5E49752582E42E92F29427FD7EF8041A7AA0ABCEC3EFF328F376ABF230EE83B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:25.103{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5732MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:26.744{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A598CBF477EB70A9AA07E7EE1FE5F6,SHA256=28DF4B5A27285ABBED2FF155CE54C5B6561AFDAAB03BA5DDEAA0D168BEF2CD73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:26.654{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B253D679C41F081D05D413B974B4148A,SHA256=CE0C02DA8F8007348A34281E3A519658B5914E6D0B71B35F25BB126CD6746FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:26.654{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=5709FE4557A29DC9998F4643A6B5E061,SHA256=730604A32583E5FBA883FAA5EFE9D03BF0256AC1724BE07B212BFB3DC6526355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:26.654{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=89096F878853CC5F8EE240A233ACC600,SHA256=6DCA051A6D757D66651F024B094CF333DB85936776FFE0B3FACE4BB5678A5384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:26.653{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=CAF3332D1B02079A3A07FCB9C18890BC,SHA256=17F37617C2EA8B20B6617761E6BCEB9BEEB5DDEFFC5802DD8F708A2C4E756555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:26.651{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=5223B4F0A0AD4837541AF167F8CE0618,SHA256=434257181DC4D470770A0A9D7378500238D1C86A75481EC4A1E554A774F0B22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:26.650{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=CCC5B125EDA7EA50888CC2378DFCAA75,SHA256=4E0D461F6F6FED16CCB9B055A78489A274B1978C96FFB97A24D41060AE0DC708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:26.649{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=030218D70E3A7A6178B267A6B4E0E477,SHA256=5AC0F38375085C66D8BB3BC8235DC2F1AF45883D06439F8A5DC8E6A9DE2438D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:26.232{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC83D24CA31E941E1F2B88AB5B402CA,SHA256=99D8B6CA660EA5F643EAA051D011461D3076AED4D81D29A66358646589104BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:27.744{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167C5327B2595610F00335BFF0D53A2A,SHA256=08A81D445626EA7A4C1A9B1FEB92521366C834BC91163B80CA3B51E698C79EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:27.271{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1414MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:27.252{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A975AE1DDB3FE8F5252F72DD96918813,SHA256=1540D373394BE78E1C1867BA92E222FFC62F3BD6CF0A2E521DF03AD15F4914D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:28.760{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AAB511B10CE7C35D95B18DA6DE8261,SHA256=5B3A4A18EFED95EFCFA03454E2E023ACD0C2DA4A4FFF1F23BCB558191C9FACB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:28.883{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49179EDD27E6FEF993177085D4EA917C,SHA256=2F7140BE8674EF349D519BAD3FF12ECE36F77EE5516DE90DB5823A3FBB84E743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:28.883{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=959D7DE5DE9FDC31BF441BF134D41E3C,SHA256=FE81CC322832A83C00F74F514DFD64E583DFDA40CC62CC66C3043505936633B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:28.285{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1415MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:28.268{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=036E1D0BDBA82C61718B0C16F518C7CD,SHA256=9CBE054A9EC33D0A37507112E64D7A02BC0FCCF47762C71620EF76FDEBDAC5EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:24.533{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61847-false10.0.1.12-8000- 23542300x80000000000000001294792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:29.760{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEAE4720658EDF44359328802ED3C3B9,SHA256=34004B09B1E3B22BBA43B183343413D38505CBB33A3ACAEEE7570281067D7F92,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:28.252{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:29.299{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575EACD2FCCFCE1FC6FA6846A2339892,SHA256=8B48E31A559A3CD6AB585B7971AA4ADA1E7A586D1522648C2004317C796F7CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:30.775{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB3200C085E80C004D56817FF1257A6,SHA256=C902E7BA2E3D2CBE304019A9A9B5E29178859930C2A6C11211C7E646F3361873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:30.314{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F58A0A4226EDB026178F41BC1F9FA96,SHA256=0789D95C383B7CF5C76A63558502959BF8BEF2431CE2FBE155365DD3E78D17CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:31.791{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F884B50827C7733941EC4C41A8CED7E,SHA256=8E5DBEB9256041C5FF8A8A3B84387D9A1E8CCAA9B4E1C57FAD8651FA1DA16782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:31.666{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=530F87C30E270B7079BE868E4D79AD1A,SHA256=9445F690CAF49999E082C3A8A9F8C15BE3A9D472F2B1EB8BEA4930FDA91914B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:31.666{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=7FC75B8400CE3921C8AE192ED648B107,SHA256=1E1FFD86D7E4F5C72A0DEDA4DE13A85974437065FE77C860CBBAD8D3B86334AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:31.666{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=17ACDF17389AB36DA905E8915737AD68,SHA256=EC4B5E13F627C99DC53B0C07BA0160B5DFC0070A20E87641C9A694D97B0D81EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:31.666{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=16FE2C981BA889CB92DA589C4FC75055,SHA256=ACA839E270A8A0084920E1609AD7E38CFC81B955C4BBDF82C2168BBC3C433C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:31.666{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=32111CE7BFB65D6AAFE0A59F32BF290F,SHA256=95D45F121102B5810B616FBF511CDAE304E4DE544BCF6699131764E981400DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:31.666{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=EE315D907C3624FE35E1EFD27CC9DF2A,SHA256=2F7D050F4C938764AD669FAD0CB6155ACA877C51606AEC01FAD82A702E43F646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:31.666{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=D716ACF26E1D0B37726E52F227E5E1B9,SHA256=9B58C7ED8CAA3E2B592D3C3435AED559064A40DE2E8ED73AE105CEE4732F485F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:31.329{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516C044DB9F846E73EB0D97EAEFD7F22,SHA256=850172F3D5664778FC1F496699E3017284F9F3218C0AC15EA11450F037CECA60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:32.791{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B29B77E4094B52B47A37AC7E7EB2BD8,SHA256=1DCE4BC39C2F71E964F32E9B15B5232476CC358EFC33570E58EE7733B54ED89A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:32.348{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F447F709EB0028FF5B70FB135E60B4E3,SHA256=EFB4A020EB571FD30D28D333536DE9C3A4D958EA82B9F70C915C5A91DA380FAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:29.938{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com55083-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:33.806{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B920F469B07B4BCAF92C881D46D3EBA0,SHA256=E6B6ED6A9B9A8AAE7B7EE928BD58CFC065ECD6EC735363C5970116D679389241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:33.348{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E01BD6FF180313DE5F2988D314484109,SHA256=C18221AB208DE73189B78E011B9FBAB6563C45CC16212BDE836D0DEB1985D3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:33.072{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43897F96794FC52F8FECA46F7B3AD807,SHA256=4B4F3FC7F91BB355A5AF6D124FF40E92F4D026BDD7020B0C3E2415E1A55C0BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:33.072{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC4E8F789993100717BB82064FC41AD8,SHA256=E5621957379FA0BC8660B9A7845891D5C17859FC99A4762DE4561BF1C0D51C27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:34.822{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF28FFD43EE3ADAAFD738D263A54BBDE,SHA256=F9326F8E5710666AB134D5ADBDEEF47FE9C870B75C36D8394840496AA322FC10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:34.251{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:34.426{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8BB307A6B81096D9640B7C2A65AF57D,SHA256=A88491EDE2C5311C09FC09C4E451F250CA63298298930145B7EA7F374BE7B09F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:35.838{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290A6713A47779533492F46771E994BE,SHA256=C6A0E6CDFAFD74E230A520B4C57EA0870AA6320D58C72BE62DA3F4A5FBFC890E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:35.444{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92F5BC9EEC197E75560AD38AF481CD60,SHA256=049CD035C0AD7B1664B10B1592F21639EED717F6213A8F72AC0B04933A6E675E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:30.408{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61848-false10.0.1.12-8000- 23542300x80000000000000001294803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:36.853{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC82050C9A898506B7B485E02BD00BE,SHA256=251717298C895F06D7D3A105E5D40DB3F80CA662AB4B558429DBD79C0A1C9508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:36.462{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92D42F3D0C5B3E505AEA5AB5111CB69,SHA256=7189E15D0B4FD610A0B266488D8CD3226966DCBEEF4B66CFB751E10B5C03CC88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:37.869{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8BF6FE1D8ADC81F9C9C5707F2E8229,SHA256=B1050307342C3270033E2407F104A2E2EFEABEB63258F84E217A0AB6C255F65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:37.478{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9500C1F01A4F66B3C19606398B15F645,SHA256=5CF0158D98FCD59AA479E6E32E3715F3EBACDE29E4C48A44CEAB03A073703D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:38.882{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFF66B80914F1C7594251055CCA9795,SHA256=F3B3339CDA112593B36DD9FE8145E82C3BC30EA603C1EA0C81EB2287EC72FDC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:38.493{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B8CE8F54686CE023CEEF88FD423A22,SHA256=EABA42509AE4F987FB130DEA5C867C3026AB5906E58196E1E32CC3675638DFF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:35.439{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61849-false10.0.1.12-8000- 23542300x80000000000000001294807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:39.898{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14965510E12A835ABD54B062124EC47,SHA256=3E8C838F07AB7F1C94E22351AEA02D6DDD8CA1E95D8F6250D2392E770859F06B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:38.383{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse59.14.196.14-41639-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:39.541{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8EFE5FDB6F8F03BF0899815C6A61117,SHA256=A7B908F444C31AD092DE52657D1A19AE3A06CE4A72A2733E067C342FCE45E541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:40.898{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FB6B6C02DD5C819B893CC340E0CE18,SHA256=F3EF40B230BCCA5DB4DCBE9021D3E0747A1B923B5D26DD72F7114565BB928E59,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:40.166{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:40.560{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D85A7730810C034EA032C209E42B88,SHA256=692E9A708B64D016017272350EF5BA94819BF0A43534A20AD9139721F1828A04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:41.591{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3946929B283E669F03BD9566F90BEFF0,SHA256=5D1A3AD3B382E16C68F3BDB19D3BD5518D1301DD258617000A876E2646F1F5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:42.874{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C9FC7A8C5FB57AC730A1EE40F4800F6,SHA256=B742A5B3EDD6FCAC63364454230FFC23E5012258CE40DDE22052B5EB90A796A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:42.874{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49179EDD27E6FEF993177085D4EA917C,SHA256=2F7140BE8674EF349D519BAD3FF12ECE36F77EE5516DE90DB5823A3FBB84E743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:42.606{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6CB1B269B257B33F1681FFA823D8615,SHA256=02E4A5C3CE7DE6166B178E0A92454E1594A664FD333899A67255F54F36035260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:42.039{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F97242D9880BFD179E7600435AB96D,SHA256=0FE8945FE3B7BBE9C7F4664BB6AC034C9F2A25C5D76BDB6088A63FC36DDA0F8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:43.180{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59163-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001388436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:43.180{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59163-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001388435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:43.639{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3A7FF3EB3D6E8A2E378F71B9B115CE,SHA256=5169DB230863B4D5B35256760656AB613B07A8EDD85E4710044AE28550585D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:43.117{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A34DBD1B17B298242514B38AACB1759,SHA256=F38384D45BFC56BB424B83683A93D9FD88E056C958410BDF453BE09478E2688C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:44.430{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BBD5F775DFFB59A460F40B4C6369C729,SHA256=70D14CD3C89BB92D465FAD9684536AF2860CA17263F2F6F4D59EFDE6514C1081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:44.355{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A30500636EFB144534087BE38C48F47,SHA256=EF6FC4CEA92844C36E47DA9B903D98943F3643E5BE2E24929F9C38273587793D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:44.658{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800528FDE388A92FA330DEFDAF9ECA71,SHA256=28C0E2ADF72719DF2702CE47B4FCF995F4633E43BBCB1CE5D38DFEECF9307FA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:41.453{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61850-false10.0.1.12-8000- 23542300x80000000000000001294813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:45.586{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0011919E7AD8575B15E0297DB080BCB1,SHA256=B6BAE052E49465FD9381E0BA941DB5B3EBC11ECF3735635775710EF4CD08D15C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:45.673{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6019D96D07388E1E447AFC8F9C324811,SHA256=4039F3A74EDF3226D6B3F127CECE00EC254BBE52718F67F10AC5E92505BA4459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:46.679{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226704C0B11D52CA0853627C2001BE97,SHA256=453CA42B04A9779ED6B9EB4EEEDEC781615D830454EDAB3E3DD25E1D9B3CBD50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:46.688{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF064DA57746926369AB33EA5DE5AE22,SHA256=A92193F67A2D11BB8D5D7B183E4027706191D15F3F2E4F88B4263DC0A16EC05F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:46.173{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=8417741FC8640471F0E109664EFDB967,SHA256=C83CA7CDC4D0B745873C677B7F036AB17DFCBC72CBBA0099EBC83C2019ECD5F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:46.173{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=3427CA63D9808872483A6100D3D9A8CD,SHA256=1611147DA047A53AA56828F34A696B3CF0287A0478BDD250B17C97044C265407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:46.173{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C1C55D3C1C95956D08150C902D73B34B,SHA256=98180F696BDE34456716353A5D957E58469A305FC67608C4FF1BFAF735264FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:46.173{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=650281D0E5335AF8C9C74B233FF3A229,SHA256=77A68761BA4D809E58F7AFF8E2ED8822B0E98AE8CBCEFC508443CE0FA74C2E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:46.173{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=08476C0CBA0A03D187C78C0A4F2AA93F,SHA256=F0C9946E1BF84366B23A4FFB4F5E69C184B57E1ACF04853428A553866CCCC739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:46.173{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B78BB4470C08AED3EDD0FBD7D057B107,SHA256=334304E4AEC20BC9DEB7A7DD74430CFD7E4ADE2746A65F6F4A9F9537F62B0688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:46.173{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=50FB89AE163F6B500B59AC13DC7D821B,SHA256=5A8717E63E5C15A36B586D3C515FFF8E0345A44A57B8B27F0FE9A7C92115C224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:47.990{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:46.063{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:47.691{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E9FF94FD6E32EB701B35533A4CC3D7,SHA256=C7920966E04FBEC8FF025C3474D24ED890A5B0119F87FF01F3C3892AA9F19952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:47.898{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D438AA458180FD6F2D3EDB8FDBA2E5,SHA256=332256BD1DFB24225DB598EA425ACE70A8DAEB7659A4C8E93BFB3872C0A50630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:47.476{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:48.455{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261851-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001388451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:48.721{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64F22E704A163E7316F7566897DDDE7,SHA256=1BC7F56869E11574118A1A37CA8BA2E0E2509A1000D6AF2BED35AB2D02C3B18D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:48.992{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9EB4C84E0ACDF6EDA592886B8C1F9E,SHA256=ACFB404446058ADBDF030F0EFFA1BF6C8A3636494DFF6514744B83AB9E2BD705,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:45.756{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61851-false10.0.1.14-49672- 354300x80000000000000001294820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:45.443{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com55235-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:48.414{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE3D6711F0DED7DD1ADFFCE81775B34A,SHA256=D2C01375597AF618A7C7A5D8B6AFEAB2B06DC7E4189D1042B33E3C0F60828A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:48.414{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43897F96794FC52F8FECA46F7B3AD807,SHA256=4B4F3FC7F91BB355A5AF6D124FF40E92F4D026BDD7020B0C3E2415E1A55C0BB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:48.980{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001388453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:49.739{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9364433224D66F86CE04C88CE3C06F71,SHA256=29EE4DE09318EAC64C6667D6D596DD036EC0CD9E12AA37D785A1BC88D98D1EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:50.758{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3F93739CB139716E68DD05F6F457BF,SHA256=E01FDFEBC0F227048A5A7315331540B98E3668AE98DD6A7A75B606FA2393D633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:50.039{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC4F888C8F4636459802734546E12E5,SHA256=7F6AC0BD7E71390EECE373D131F462C8A06A374ACAAE77CA21B470A2A9276EFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:45.812{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61852-false10.0.1.12-8089- 354300x80000000000000001388457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:51.164{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:51.788{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D818059FA10BA371717C84B0260CC03A,SHA256=5C6164B1AEC99E6A282C5D1F3A52177856224E895E938936886C150FA7A18176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:51.273{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B29827E92DD2DC73694101219C8B0EC,SHA256=1B04C10990CCE4D5B7035C430947C666E97AE47F7D2241B22CDCBB50ADE717D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:47.390{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61853-false10.0.1.12-8000- 23542300x80000000000000001388458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:52.803{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5C25FC567A1EA381DFE769AA5FF71D,SHA256=9D543B6E1E0B6B1EC75D12CC1D168DAB54891D2DFED98CF9513C7AB9EDA5A0E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:52.507{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3452BFCFA84A0DB7B0E26D78F6250277,SHA256=C80CB0154E62EBA6E68601089AD23F731D8B92F0F61185CC2EEDB2680B84EEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:53.888{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC24B8A974C975A07AA3CAB66F8E6673,SHA256=9A102E250889901D65D0D7365F52CD43C11CE63626AEB2218B76DB8AB82F5323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:53.742{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58752777C26A2659520F8A18F962AB84,SHA256=B548F7E7735898735B950308B2B7D82347162EC7B35720BD82766DD60278BF25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:54.757{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F87FAAAD5D0B3C568F8B9218CB808F5,SHA256=B35682E3E2A243E4B25A7343CC1644C27593CA5CC6275699FD82EAB41FD40134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:54.889{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F8291463765B3E85C643E6DAB90899,SHA256=87B0846EE86480424B0C6461165C96830598133A171218F5215FEA9C42E8A02D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:55.992{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8B659F045B8EFE387DBE593549CBA6,SHA256=1C06351A7C8E933B85B20701FC4388ADA39F5F1B309B2C923A573DA1715D78DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:55.904{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934B257D6C8C2EA0A66DDBB1F880349B,SHA256=AEBD63C81C6BEA364D608F3B85D4FB45764F4F0E525BA1E0299C8E9B36E7FDBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:56.936{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51033C43FDBA52DC9919A496829D7B5A,SHA256=3A9021F31E903E2644D01AF94BD3ECF9EA280FA2A5905BAC8FB1D39F40561378,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:52.593{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61854-false10.0.1.12-8000- 23542300x80000000000000001388464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:57.955{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20ECD506B411754AE927B763F3DAED3C,SHA256=4A51A2580D6BFAF6AA29DB48073A033EC1226C287275B776C14BE7DB73893EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:57.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=873E247FA8B50E6D58DDA5CA502589DD,SHA256=E6BDB73630AF27BA448AA34B74A7AC0691AAC0F7320E53342B82621A08549844,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:57.078{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59167-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:58.970{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134D2A0D6EF2E15E33B9EBB17631DB33,SHA256=76DB20ECAEB0D876E54B10A50E4E075443C121BB7686B6213294633471187E41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:58.086{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68DC36BE48409A9808FE5AEF10AF7110,SHA256=1CCDB017FE4F0279F82D3AA2FDA2DCA715E62920D4636418DE23DCEDAE06515D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:59.971{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08453A220BDAEA89776763B41D5B7671,SHA256=34E5C047D3CB446E3AFA693FFADB493B2629A295C1BD47339376C50FC6F37209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:59.090{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C30E3FCC34010E8891A952E2B2DF6AE,SHA256=85EC3EA56F2857E48CCD7B6D80C9530165D7EE3D15E8E96915F0F7675C5C9873,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:31:59.856{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001388468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:00.974{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACAABCB3408C1865F560CF851B014D9A,SHA256=AF5666EC1E8E060CD50E4218CEB5C3400CFBB85B59FC3DD9AA822F764C01E3AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:00.106{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DB993A4B54E73D0505FFB1C1C56081,SHA256=DF295AA47A337C4407A48216660F33A66A6C7CDD310C142808087BC0C798885A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:01.989{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFDCA3648D3D5881255DA8E82F68EB0,SHA256=3735C5DCEC42D2D41F27FD5978ADCD8C31FB367B09F51C97D888EA052F141DD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:31:58.551{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61855-false10.0.1.12-8000- 23542300x80000000000000001294836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:01.122{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF921ED2919E5374C70A85B5C1BDBF3,SHA256=3BD8B6210AD28AE5D5AEC3960BF9581751FAF887872347270F3594A3565D8520,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001294848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:32:02.496{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001294847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:32:02.496{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x15070cca) 13241300x80000000000000001294846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:32:02.496{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b443-0x4f3dd482) 13241300x80000000000000001294845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:32:02.496{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b44b-0xb1023c82) 13241300x80000000000000001294844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:32:02.496{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b454-0x12c6a482) 13241300x80000000000000001294843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:32:02.496{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001294842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:32:02.496{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x15070cca) 13241300x80000000000000001294841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:32:02.496{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b443-0x4f3dd482) 13241300x80000000000000001294840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:32:02.496{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b44b-0xb1023c82) 13241300x80000000000000001294839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:32:02.496{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b454-0x12c6a482) 23542300x80000000000000001294838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:02.137{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5ADBFC06EF2CE34AAD5B578D7573BD7,SHA256=20BECC114B619ABB695F3D429B1EE15B686DEEAF1D8790B703A027B3923BC782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:03.153{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049F7E6DC67770F79AE40E1044D1A034,SHA256=D0718439AF6D611D090F289583A922394178562DB5ADFE3A2F4F45CAFDAE9AF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.135{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.135{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.135{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.135{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.111{5EBD8912-E113-6152-E028-00000000FD01}5752C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" C:\Users\Administrator\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{5EBD8912-E113-6152-DF28-00000000FD01}6408C:\Windows\System32\eventvwr.exe"C:\Windows\system32\eventvwr.exe" 10341000x80000000000000001388483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.104{5EBD8912-8CBD-6151-0B00-00000000FD01}6406104C:\Windows\system32\lsass.exe{5EBD8912-E113-6152-DF28-00000000FD01}6408C:\Windows\system32\eventvwr.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.104{5EBD8912-8CBD-6151-0B00-00000000FD01}6406104C:\Windows\system32\lsass.exe{5EBD8912-E113-6152-DF28-00000000FD01}6408C:\Windows\system32\eventvwr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001388481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:02.196{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001388480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.073{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-E113-6152-DF28-00000000FD01}6408C:\Windows\system32\eventvwr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.057{5EBD8912-8CC0-6151-1600-00000000FD01}12961772C:\Windows\system32\svchost.exe{5EBD8912-E113-6152-DF28-00000000FD01}6408C:\Windows\system32\eventvwr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.057{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-E113-6152-DF28-00000000FD01}6408C:\Windows\system32\eventvwr.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.035{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.035{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.035{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.035{5EBD8912-8D26-6151-8500-00000000FD01}27602120C:\Windows\system32\csrss.exe{5EBD8912-E113-6152-DF28-00000000FD01}6408C:\Windows\system32\eventvwr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.035{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.035{5EBD8912-8D2A-6151-9600-00000000FD01}46324280C:\Windows\Explorer.EXE{5EBD8912-E113-6152-DF28-00000000FD01}6408C:\Windows\system32\eventvwr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+3d433|C:\Windows\System32\SHELL32.dll+3d2fb|C:\Windows\System32\SHELL32.dll+3cc17|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5 154100x80000000000000001388471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.039{5EBD8912-E113-6152-DF28-00000000FD01}6408C:\Windows\System32\eventvwr.exe10.0.14393.0 (rs1_release.160715-1616)Event Viewer Snapin LauncherMicrosoft® Windows® Operating SystemMicrosoft Corporationeventvwr.exe"C:\Windows\system32\eventvwr.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=16DF74906C84D249F47C3709F47DF6C3,SHA256=1501986365AE248C8E4998ECADD52F44ACF9E31D05FA10B0C324DC12D4A5C07E,IMPHASH=CBB611BAAB2FF1FA71F1D77861895ED8{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001388470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:03.035{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EECC9EA09C941A9F64335F2C75557EF9,SHA256=912AC2AF9DF78AAA6D3CCD0A90D30022862FAB0DC7C68AFE3C7D62998C9E497B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:04.153{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99EA2281549B621A9CBFB7D8EC104A2D,SHA256=FCF6F9255AA4ADDE87D0BABF6F257085C076E448B8F60054E2FFFC391F412DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:04.056{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C40753CD9C372172D1C423155DD507A,SHA256=F8441D72E1685DAC0CAAFC1A1220D491B1C499710588C690D62334A50360C38E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:04.055{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ACBAA898F9D3B5CDF4A93A54E92451C,SHA256=80C21711B9BD968BD6EC586F28DFE485992E3E23396AF06346F5054063E3D7EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:04.054{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C9FC7A8C5FB57AC730A1EE40F4800F6,SHA256=B742A5B3EDD6FCAC63364454230FFC23E5012258CE40DDE22052B5EB90A796A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:05.168{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8B0FD20FF4F8E36AA518BFCB0C7F08,SHA256=5C06B1F84C71AB5D2487FED4280A7D8AEA2530165CB275434B289F1C0D768D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:05.057{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE61B92A5C8B0CB59BC5E622395482F,SHA256=DCE342828969E63937EDD95A223AA6B1CFFFA690630B38802880A22A06318F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:06.184{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E1B9C04DDBB4E9DA02D98B4EBA94CE,SHA256=CA7F69AD7948ABCB58CE1A6385D6A524153073D23F95CE26D5B3DBE150056961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:06.103{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B89235A1F64F3ED425E726B06EA23F6,SHA256=88F767F31E7D6C020D3D077DA9DF1B45899F80345F500746B794B75D8B8816A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:07.200{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D20724CCDD20AEFF3F4940531F679A,SHA256=33A78F8C958922397688C0E480A07B66F1B93916C4BBB4CB6E21947B7E62FE00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:07.139{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9759EF5200559C4BB6D6A3945538BDCA,SHA256=00D69520A5E51C4F837066F80BFD66185CC7CC996D6AB79F7E536F0453196EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:08.418{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BCA5F5ADAE89643065E554EB160A32B,SHA256=77FA0F7663275867938DC82E30903FF8A9E00F841DDD75E6CCCEE9BA081B70EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:07.224{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:08.170{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BF1C848560099D684211C8926BDB73,SHA256=CFB012E419546CC398E09BCDAE24FB5DC77FFB363A971457E6AC4D39ACBA0247,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:04.614{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61856-false10.0.1.12-8000- 23542300x80000000000000001294856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:09.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16147496B91A69DB3E9A8767AFCD58C,SHA256=19CCA76E7CBF485B93424239E220C2F0E7AF85EA7D66210F92B5913ECB14D251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:09.385{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DC0747BB9DE5A89D19958C47C1C4E39,SHA256=7DFD962EE13F664030B31B8852FD11C8FF4F165DEC5A28EFE73595FC051BA6BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:09.385{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ACBAA898F9D3B5CDF4A93A54E92451C,SHA256=80C21711B9BD968BD6EC586F28DFE485992E3E23396AF06346F5054063E3D7EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:09.048{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com41653-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:09.201{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695C38BE0B28FC098534D023E07585E7,SHA256=8D2D01828A0F3693420EE3A483005DBA0B3BE411851A8448FC7AEEDF8AC5D4A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:10.684{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2820AC8E56AF782A179875563454971E,SHA256=A971182108B9833EE1E8258E77A9F8D814EC1F2A115F1D00E80B6B9474C56A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:10.949{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EE1C7C81BBB64EEF0BE748705928C8D8,SHA256=39A7FE1FB652CA0E513FB606EFF96E2FD139930B2B3D240C414691570DA73E98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:10.360{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E11A-6152-E128-00000000FD01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:10.358{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:10.358{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:10.358{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:10.358{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:10.358{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-E11A-6152-E128-00000000FD01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:10.357{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E11A-6152-E128-00000000FD01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:10.185{5EBD8912-E11A-6152-E128-00000000FD01}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001388501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:10.219{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87BB0D118010225D1D4640BB32A1D03E,SHA256=D8572F870311D7EF4B695C3231DCFB2E6D04D565D8D5712A5FA80286CA2DEB84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.981{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.981{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.981{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.981{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.981{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.981{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.981{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.981{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.981{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.981{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-E11B-6152-CEA1-00000000FD01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.981{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E11B-6152-CEA1-00000000FD01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.967{69CF5F33-E11B-6152-CEA1-00000000FD01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.918{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44EBF7A009DA2A77AA96AB628E1FBDF1,SHA256=6A338D4C2197971C661C4524C1A7413249A13B3FF4F175E35BBE1FA34635698C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:11.397{5EBD8912-E11B-6152-E228-00000000FD01}61766592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001388520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:11.236{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7367E331B1E9242AD43259C98CFB4EE3,SHA256=FBA102AE31667E5CD4D684F7ADF578A93460610C1B324FD5BB0A2724CD90CD85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:11.230{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E11B-6152-E228-00000000FD01}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.528{69CF5F33-E11B-6152-CDA1-00000000FD01}38602896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.325{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E11B-6152-CDA1-00000000FD01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.325{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.325{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.325{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.325{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.325{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.325{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.325{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.325{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.325{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.325{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-E11B-6152-CDA1-00000000FD01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.325{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E11B-6152-CDA1-00000000FD01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.310{69CF5F33-E11B-6152-CDA1-00000000FD01}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001388518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:11.208{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DC0747BB9DE5A89D19958C47C1C4E39,SHA256=7DFD962EE13F664030B31B8852FD11C8FF4F165DEC5A28EFE73595FC051BA6BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:11.187{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:11.187{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:11.186{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:11.186{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:11.186{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-E11B-6152-E228-00000000FD01}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:11.186{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E11B-6152-E228-00000000FD01}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:11.050{5EBD8912-E11B-6152-E228-00000000FD01}6176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001388530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:12.782{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E11C-6152-E328-00000000FD01}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:12.780{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:12.780{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:12.780{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-E11C-6152-E328-00000000FD01}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:12.780{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:12.780{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:12.779{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E11C-6152-E328-00000000FD01}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:12.647{5EBD8912-E11C-6152-E328-00000000FD01}7092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001388522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:12.246{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE38F614B0047FD5F6C32AF232B4E52D,SHA256=B5A81BC29D3C1B7AF1AB7A43D076504A5EF4FA69D2144CC5AB2551F5EC1691E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:12.606{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E11C-6152-CFA1-00000000FD01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:12.606{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:12.606{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:12.606{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:12.606{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:12.606{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:12.606{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:12.606{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:12.606{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:12.606{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:12.606{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-E11C-6152-CFA1-00000000FD01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:12.606{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E11C-6152-CFA1-00000000FD01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:12.591{69CF5F33-E11C-6152-CFA1-00000000FD01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:12.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C51D141121930F131289ADCEA99AA6E,SHA256=157827E2216FFA1B0B43CD2BE5F7E04095CC0F88957D94CBF8A3F191074E5988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:12.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE3D6711F0DED7DD1ADFFCE81775B34A,SHA256=D2C01375597AF618A7C7A5D8B6AFEAB2B06DC7E4189D1042B33E3C0F60828A35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:12.231{69CF5F33-E11B-6152-CEA1-00000000FD01}26843572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:11.996{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E11B-6152-CEA1-00000000FD01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.856{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E11D-6152-D1A1-00000000FD01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.856{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.856{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-E11D-6152-D1A1-00000000FD01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.856{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E11D-6152-D1A1-00000000FD01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.841{69CF5F33-E11D-6152-D1A1-00000000FD01}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.637{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C51D141121930F131289ADCEA99AA6E,SHA256=157827E2216FFA1B0B43CD2BE5F7E04095CC0F88957D94CBF8A3F191074E5988,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:09.892{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61857-false10.0.1.14-49672- 354300x80000000000000001294918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:09.779{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-37041-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:09.738{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-36808-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001294916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.403{69CF5F33-E11D-6152-D0A1-00000000FD01}32962840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.231{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E11D-6152-D0A1-00000000FD01}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.231{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.231{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.231{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.231{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.231{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.231{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.231{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.231{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.231{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-E11D-6152-D0A1-00000000FD01}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.231{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.231{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E11D-6152-D0A1-00000000FD01}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.217{69CF5F33-E11D-6152-D0A1-00000000FD01}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.215{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F5B38A8DD20A45DCF232A5C5ED464D,SHA256=2ACFEAC619C586037FCC7214430750AE5DA14E5B255950C5470C83AB0CE1D556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:13.770{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00C1D87DD966C69C62E026A8EA582D4F,SHA256=5561AE9D49A1DC925D4DC7AA3CECD3A24F52A905443172D38E97DC068D40E447,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:13.723{5EBD8912-E11D-6152-E428-00000000FD01}21881880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:13.570{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E11D-6152-E428-00000000FD01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:13.570{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:13.570{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:13.570{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:13.570{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:13.570{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-E11D-6152-E428-00000000FD01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:13.570{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E11D-6152-E428-00000000FD01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:13.456{5EBD8912-E11D-6152-E428-00000000FD01}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001388532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:13.255{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD07E654A7AB0A7E1E83DECFF02A7F16,SHA256=B5D8F2D7E4070B50D00C9BEBF4E5CDDCED270D7B4434C6E0F31B0EE93461E922,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:12.591{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261857-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001294951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:14.746{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9930577AB5953C55BCD3FFCE28EEA0F9,SHA256=6EFA7440293B93346288068DDFF2C2DFE41D75AF685193FA7B3FE1722D4F6119,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:14.637{69CF5F33-E11E-6152-D2A1-00000000FD01}15722824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:14.481{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E11E-6152-D2A1-00000000FD01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:14.481{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:14.481{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:14.481{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:14.481{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:14.481{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:14.481{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:14.481{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:14.481{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:14.481{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:14.481{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-E11E-6152-D2A1-00000000FD01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:14.481{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E11E-6152-D2A1-00000000FD01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:14.469{69CF5F33-E11E-6152-D2A1-00000000FD01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001294936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:10.930{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-42559-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:10.443{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61858-false10.0.1.12-8000- 23542300x80000000000000001294934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:14.465{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DBFE1FE62E3D6547703492A70576ED,SHA256=99E45D08B46B9B7864E8BC049AC11D43A9FA256A8ADD855D20FDAAE1E0F583E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:14.263{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4296C31E5DB96CFCC74AF9A60695BEFC,SHA256=15AEAB2D41F16A44A98118C94AE91B088A303D9E7DB8F1EC019C599A5E8B7C9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:13.097{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001294954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:15.871{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A15B33B9328423A6674161FE86AF264,SHA256=0A378E6D8C42E136FA84BF5A48E2DACBB7FFD1F5F5D94B86F1DD1A8116B6F432,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:12.009{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-47719-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:15.481{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6515343BEC2A824651E929B18EED98D,SHA256=5262CD91434177EE1AC30FAB0CF6100D966C1222C85237AACC64EBFECDA171E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:15.324{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDAB0E2495E3D805F85113E57FD90E6,SHA256=BE657E643444AEB81101BBC1513459613A24B0A24A082CD2AB43F89A231B290C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:16.950{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA63B548CAFA921DAE2715C7423A5007,SHA256=916A97124D8F6D60D55494D8CEBB50FBD1799E0A30A2DAD5A2744DA33E32E35A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:13.134{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-52812-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:16.684{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBD250A038490F18AB1DF95A8A069E8,SHA256=085F98BC379CD678A69491709394C6EFEF9884C2A1AB06696C6B286B43AE837F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:16.744{5EBD8912-E120-6152-E528-00000000FD01}71042088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:16.623{5EBD8912-8D2A-6151-9600-00000000FD01}46324848C:\Windows\Explorer.EXE{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8023FC5D8A8)|UNKNOWN(FFFF81461C6A5B48)|UNKNOWN(FFFF81461C6A5CC7)|UNKNOWN(FFFF81461C6A0351)|UNKNOWN(FFFF81461C6A1D1A)|UNKNOWN(FFFF81461C69FFD6)|UNKNOWN(FFFFF8023F975103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001388556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:16.623{5EBD8912-8D2A-6151-9600-00000000FD01}46324848C:\Windows\Explorer.EXE{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8023FC5D8A8)|UNKNOWN(FFFF81461C6A5B48)|UNKNOWN(FFFF81461C6A5CC7)|UNKNOWN(FFFF81461C6A0351)|UNKNOWN(FFFF81461C6A1D1A)|UNKNOWN(FFFF81461C69FFD6)|UNKNOWN(FFFFF8023F975103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001388555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:16.623{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF53228ef.TMPMD5=B75F25CB252B727E2DCC540CAC552E56,SHA256=96C19E5EE1729DB76022409784B322D8E42CBF29BE3FA29E7901432732AC8434,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:16.576{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E120-6152-E528-00000000FD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:16.576{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:16.576{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:16.576{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:16.576{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:16.576{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E120-6152-E528-00000000FD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:16.560{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E120-6152-E528-00000000FD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:16.561{5EBD8912-E120-6152-E528-00000000FD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001388546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:16.360{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC7E0FADC4A0EE2D6B11ABDD591AD5D,SHA256=E0BA499B37EC885ECCB3E120EDB38CD3E30751CB698BA36316C0A61F64D451E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:17.918{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710F16797B42D7B88C8B8D4EC2BEDE34,SHA256=A2B8DE974C3D6F21A244F4DB0380E31C89DEC2E4F9000EA019F6C3DCA9933768,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:17.575{5EBD8912-E121-6152-E628-00000000FD01}49966900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001388570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:17.575{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFBE876EE44A9EB1A041BEFE3A4186FD,SHA256=EE895335B91B382B93A4B0964EA6CC9E9503F8EE6817C7E873BA90A05909BCF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:17.391{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E121-6152-E628-00000000FD01}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:17.391{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:17.391{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:17.391{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:17.391{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:17.391{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E121-6152-E628-00000000FD01}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:17.391{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E121-6152-E628-00000000FD01}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:17.261{5EBD8912-E121-6152-E628-00000000FD01}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001388561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:17.375{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB492C01829564D12E7045A30097B88,SHA256=5441D773B4E55090E021204372EE9B21C1B1B3B71D12445FA23D026E45767ACF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:14.244{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-58239-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001388560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:17.060{5EBD8912-8CBF-6151-0D00-00000000FD01}9006692C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:17.060{5EBD8912-8CBF-6151-0D00-00000000FD01}9006692C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001388573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:18.387{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE564B2F1793BB33BCF8944A6A7EC3CF,SHA256=BABF2ED3BD857ED1218184B6C44F4CF1496148C408F761E17C629F102DCD8F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:18.028{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42FD4B776B37D7220BD168713AEEAE32,SHA256=75EE0944B306E493A55142B47CC4C65AF4EDC3E921BFEFD6D1755D56111ADF73,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:18.147{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:19.390{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A97A226DF14A4AA2BFE09506EDE00FCF,SHA256=51936BAAE7FA3CE4B4DE0252E1AF70B0076C8CE9141677C8D7A14E80D618FC74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:16.411{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-9404-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:19.139{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E18254F0E507018FB18FCBBB3D162AE,SHA256=45BD9AC149F6B4E2663B0769682AD77365F804C53D0DF41DB0B99FC8EFDB73A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:19.139{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD85DE951AB5DEFFEBDED20EAE0985C9,SHA256=423E7BE0D2A85B2F218CBE802720C94B3F253A47B788814B5A02B1385E74D928,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:15.551{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61859-false10.0.1.12-8000- 354300x80000000000000001294961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:15.322{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-4352-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001294967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:20.280{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B85CC5EE12D09809CA92C7FA135DBF,SHA256=B52452571E85EB36A3D6F1D4FBE669A4D7E2ADAD2652D962C1513E02A0B5B62E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:20.973{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3FB412A8F5747420515D49FF8C3B339,SHA256=EAA0C7F23CC044DBBBF287A29F14EDB54FBECCA2A1AF2C2C9C4BFBD854CA321E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:20.405{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FD1D95C1CBC70ED1BAF82BCD650F0F,SHA256=9C0FBC95250EF5B9D29396D6A292C490A4922D095D27F361A5CBA08A6BCEAE12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:20.338{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:20.338{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:20.338{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:20.121{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E123-6152-E728-00000000FD01}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:20.105{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:20.105{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:20.105{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:20.105{5EBD8912-8CBF-6151-0C00-00000000FD01}8447156C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:20.105{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-E123-6152-E728-00000000FD01}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:20.105{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E123-6152-E728-00000000FD01}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:19.959{5EBD8912-E123-6152-E728-00000000FD01}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001294966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:20.264{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05913FF283C4982CD0E60BE11BA36387,SHA256=5C81CEC9B1A6E3C7690F84DAF08C5D69CAC2229B575ACD030EED4B6AAA043432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:21.342{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDB474F22FA950FC4EDABCEB4DD5E0CF,SHA256=2C89E5C6254D1757C6BD9E822AE38D20FD10514FA077287C5B094DCF4C4C2A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:21.295{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5D729920D635CEA3FC442956734262,SHA256=39C4A50C18421A36078EAEB5F01BA8BCB337264D1B530FBBD7D7A8208B0A98D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:21.420{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BA5DE0853B145145443AF5D24AA20E,SHA256=578040D5381000DEE20CDEC59E4004FA5281AD5E0CA236933DE85CB49FAE037A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:17.525{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-14616-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001388589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:22.519{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=199D1DC8E1049A102A6A598053D68A90,SHA256=8AC46338B7269CDB12AF7A3EB5CB0045F10AA1BCDA59699766B8AF1304C3900A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:22.467{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC877A5C8131E4799824D7928355D749,SHA256=7145C507D4B668A3EE8697330E71484A2A1019A9D24D616B743A187E01C07614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:22.295{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37ACF96803C35A963A6CF3FD44B77D0,SHA256=6C32CB8790A108A5C9D9E76C9ABD631305D20CB957AC06BD49812076DBDEB633,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001294983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:22.233{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E126-6152-D3A1-00000000FD01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:22.233{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:22.233{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:22.233{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:22.233{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:22.233{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:22.233{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:22.233{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:22.233{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:22.233{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:22.233{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-E126-6152-D3A1-00000000FD01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001294972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:22.233{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E126-6152-D3A1-00000000FD01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001294971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:22.218{69CF5F33-E126-6152-D3A1-00000000FD01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001388591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:23.537{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C003DD8C2D33BFD54FA0EE4396AE72C2,SHA256=D134026AC109F36DE7605F1374FAB428A40420CA51439E9A33708BDB0E74814B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:23.592{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E194B7E343BC75CB17613726A5DEB227,SHA256=8201D47BF85D2A9EF9DF0DA845107E752AFAA7867EF00672FEE27F56E731BA9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:23.311{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087B6C3CC5F6BF0EAC528640F2D1F027,SHA256=B44C6FBD05082FEADF6A0587F13155A49238434F4BE92A2A31851D57B7BF9747,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:23.179{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001294987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:19.728{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-25001-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:18.635{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-19920-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001388592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:24.554{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D94A71564BC66C607BB1E37BBBC362,SHA256=6CB89D880DD7780D4CE1CC7E7F08F63FCAB0CC55CFBBEF34B746E48DBEA11A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:24.670{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=427EB51492091373405CC81183F7DB91,SHA256=C51425CE9ABDF57DE6444554797D47B3DCA950180FE6FF58E17A4D31DE1E3209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:24.326{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C124D1BEB570A1EA91DEED2AEB01DB,SHA256=E2FCCB774745DB8396FB1842F0CB66717BFD9AA4157F93611048353DB84A761E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:20.854{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-30276-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001294990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:20.569{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61860-false10.0.1.12-8000- 23542300x80000000000000001388593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:25.584{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3AAADA2867CAE52C79ABCA7843FD27,SHA256=14BF66B25066A2C6D0FB83D9C8A6B70BF7923B3FDDD48DE9C40C641EB1B24536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:25.796{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36A9F537D66CFBD4CC673996D0CB6329,SHA256=4405FF354103C89AB5C704DC6D3E03A20071E8AF9AA62901E9D81A36418B962E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:25.627{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5732MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:25.328{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2FAD78939C45E130D06BA050D0141D,SHA256=36167928057ED1A68D5888C339E3794F20EF8D3B0DCD8AFA6240AE145E7E9A25,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:21.963{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-35557-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001388594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:26.614{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A17BC19B1523DC966EB60A4D32AE2C,SHA256=53849DB844468FE2EEA5BA18CDF41816E85B4D88E499DD9472851C9B84CC6FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:26.920{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B541ACBE8C74C35759F2F08C1B275AB9,SHA256=7807ACB04FC11E248CC7EC04F8323833A999CAC65C64C10E4420C17C8692131D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:26.641{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5733MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001294999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:26.343{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834869DE223EC9B3A9EFDDEC324E5535,SHA256=9DE37B9FE3A1D673A7BE1ED386B6C447D444652367BBDDFBB1B3F29E5E649F25,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001294998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:23.056{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-40778-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001388595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:27.631{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50666C3390DD3ACF77EE8EF235841E30,SHA256=8EEBA74BE73B14757199349C579D6FD87E1DB22F71D9090F0D8C2453F4785359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:27.344{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14856F581F2C91A7CAC87702E7F4632,SHA256=4F89660DBF75FEAA9FB5083C706A11415E62AF752681001615B1D01AC6264D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:28.815{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1415MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:28.712{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7ACD2C6BC62149CEC5568C15FB547D,SHA256=792EE2B529556A29158EB6485492257C6A9EADFD82BE733EFFC715937753A04E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:28.360{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043616D14102A2FAAE005306DB62AD41,SHA256=966F4B4FAA976FCB5F874C915F7FA3792D90E75EC41342A8DE8D6BB56ADAA182,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:25.307{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-51261-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001295004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:24.183{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-46001-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:28.048{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC13AE44EEEBC48F1E3F333F7C121053,SHA256=7F0FB7F343D3B947B2786129DB10562CD732CD5A3DEDBFA14D8CE4EAEF8E7DFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:29.828{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1416MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:29.780{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCD837F6F8FEE21D1E211E2F9895BB1,SHA256=AF38F27A917895D5B480F192032DBF4A561E7A17DB648731F3297D95F2A7A142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:29.360{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E9BB726A6BA4415B3AA5ACC663D768,SHA256=ABB0B9BC567CA187B97EF31D8D14240337B9A3D2667D415148387CD6CCE2B56A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:29.156{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001295008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:26.432{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-56561-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:29.141{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3BD68D7ABE016576F352328E96AB876,SHA256=6A94E3971FC2ACA837938B7C3B9876726A40421220F92FAB3E5CE98D1D24A8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:30.795{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=898546AC37A22D9CA71D577A53379620,SHA256=6E17637B62B049D7381688303A638610B77B94651BC58D498C62C1F18F80F09A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:30.376{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879F3987B280D3E88E785EE74EB96C13,SHA256=34C1052073974A418E1E7FC0BB92C478DCABB2BACD5BEABEBC6586539E538F87,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:26.557{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61861-false10.0.1.12-8000- 23542300x80000000000000001295010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:30.235{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4187080F059F1793CAF2A2C5D8649696,SHA256=CACD0957315624E44E8C54B06369F0B974B42B920C58EA9C24F82DE22C6B5BE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:31.795{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07C57BEA9F6140D4A5231CE1AC0521A,SHA256=7672875E2D74849BFAB2091238AF90465AA9EAF32A0AC276B106527A02F9B59B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:31.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED15F6887728D2CFFF22A9688313A37,SHA256=9848E654944C445152D5D86D2B38DE4C36F7F8003B82904866B03D79BE3D1F7F,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001388602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:31.349{5EBD8912-E113-6152-E028-00000000FD01}5752C:\Windows\System32\mmc.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 354300x80000000000000001295014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:27.514{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-2629-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:31.313{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD804C301708FDAC0F0790F3137CF8A2,SHA256=7266C3F8515400A755D9C3EC9C8D23D0B5A3DA84320717599F440D4F176A7AEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:32.810{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04686050CA913A9EDAEE200F21D655D3,SHA256=8325E55B4981C3C2A6B32964B2B3244A3D7B8286F5F46E87452CE262EB616BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:32.438{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3A33E362DAE10F536141ACA627A7577,SHA256=1364EE8D118EE3A3104BB0703277C864D91B41215D1F3EE982C7A1BF00B4485E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:32.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1665B443D03A3460B117507DD70FD12,SHA256=2D4D718F608809148B026BEBF12D040BDDD958DDD75FB58480A7750F5F1EA13E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:32.355{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59175-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49672- 354300x80000000000000001388606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:32.355{5EBD8912-E113-6152-E028-00000000FD01}5752C:\Windows\System32\mmc.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59175-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49672- 354300x80000000000000001388605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:32.352{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59174-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001388604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:32.352{5EBD8912-E113-6152-E028-00000000FD01}5752C:\Windows\System32\mmc.exeATTACKRANGE\Administratortcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59174-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001295016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:28.607{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-7682-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001388611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:33.828{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435775D47F2535B5E3DA41341BD22E57,SHA256=A5997084B7B469F922B8B13BFE0AFEA14D4C9EA1196A0CD4A70A80D4225D3821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:33.594{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=587968EE2A57D0F4C198F8D87878B308,SHA256=DADDB40D21166DAB2D1326F2F24334B012CC57CAD90CF4FC6F38D83743E718EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:29.700{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-12399-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:33.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5DB57581BF8C4DBE75BDD5679FE921,SHA256=F6694CBA650CA859C91198438B953D00FA5A5DFBA4FF798B5310F191000B0126,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001388610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:31.352{5EBD8912-E113-6152-E028-00000000FD01}5752win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\mmc.exe 22542200x80000000000000001388609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:31.347{5EBD8912-E113-6152-E028-00000000FD01}5752WIN-DC-4290fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\mmc.exe 23542300x80000000000000001388612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:34.846{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3DA1FF3CBA3A0858659291CF4F106C,SHA256=30453C4D35E016E8321A8CD594A51045CDD62DA972782ED93E59D8902850C324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:34.673{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A80EA943FFB8E61D0494E695E922327F,SHA256=579C7A19A0E698126513A7B870F4AB112502A09A945485FD7AC097CB1904105C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:34.469{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAB46420730EE3D77ACC07D5B78D8DC,SHA256=6C4438B9AEED451106501A2BA79254EA83708BDBDE77F933A9A8661769A43C76,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:30.855{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-17676-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001388613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:35.861{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3D809ECD505779D3D1F93FAB0C01BEA,SHA256=B4FC8E04508082128F1B47A950E24281358DC1186507295B38001E1B3EED44FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:35.751{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D63B0FE89D1AE90D522FEB475D3989F8,SHA256=E30E5B34D890C91F59FEB3B3545E45F78031203C0EBC4A8C79A72F38F9A00FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:35.548{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=883DAFDED506118FC7672F236CC0FD86,SHA256=F2F5800A1807B804E32BB6423837A3E7F4A36B143ECFA1890F98B1C85A93D670,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:31.965{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-22878-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:36.876{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F1F3477B718B39EB0FC6D42E3F28837,SHA256=8D8BB94D78CCD2E74D7CA87ABBA6B189137652045E75AE10BBA00416796D9741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:36.688{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A691385C1D6E99349D3A481856D7B1,SHA256=F2A30D1E5C12DA7B9FFFF008972353CC9765064B978B61917E483B8E6C7C0537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:36.876{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA8DF9E04A764EACEA2E691A53CC130,SHA256=B4879910EE4DFCA7D203C40636FE42AF9E76FD5BB45DEDACE7F7F51995EA14C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:35.069{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001295029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:33.043{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-27849-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001295028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:32.509{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61862-false10.0.1.12-8000- 23542300x80000000000000001295034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:37.954{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC06A9C553DCDEFCC0479C9C7AC4E57F,SHA256=DE4BFF5FD7B8FFE6752AC5C5E5731C04571C5F81384073C685973E58ACBA4FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:37.923{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A89C0D11653C2F21B6547E16ADB125,SHA256=34C7AB24A872B189F93A759F77FA4FFA8017983B8565C33F9D3875D6E1AF30FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:37.891{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34D8F447CCE71D110841A0840F49B81,SHA256=295FFB30DB481A21D2BE64B680A2AD41F09D7C17C7AE766354A4C72488C4F8BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:34.134{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-32793-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001388620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:38.906{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE203B713EF425840FE36C4A9F5A078E,SHA256=25AC75E8EAC6E825255B5BFFB215B0FFC5F1917E4430FE4CED146930296C5A1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:35.248{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-37784-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001388619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:38.159{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\17772MD5=E5EBA641C1D066EDA817087729863168,SHA256=2A6F709B059C49467523645005E1856319B04E3C931D503CAAC029801A3E3757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:38.159{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\27833MD5=E463F67CB29D0BD887CF51AB2D191A42,SHA256=2914F9E9C031F0EA013DC1B3561354C16EB6402367FF1FCE57001260765CFD30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:38.159{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\24832MD5=FD2B0AF59E9343BD773A5C7D03B5AC3A,SHA256=1FACCC4C402C4396AE1AFFFBE5712001CC96D194FE35332D67DB84820AC54246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:39.913{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C5F96C2816E282AB3AE5976D837676,SHA256=9D9AEB74CDB02A8BDB2A77213214786C8937217C8EB169D69BA93F84F528F26E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:36.325{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-42623-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:39.142{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422CC09B5284FE5E3DA0ABB5C41DCD22,SHA256=4942738E8601B38E80243E43CC339EBECFADF3F2574834851C1C3336925EF994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:39.667{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:39.667{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:39.667{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:39.667{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:39.667{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:39.374{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:39.374{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:39.359{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:39.359{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:39.359{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:39.359{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:39.359{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:39.359{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:39.359{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:39.064{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54663166590D60C82DDCD2AEE91EA860,SHA256=26BD72C43B6C05B8735E083BDC01ABDC6EB4BA930D176010D4CDB78AF6B7A291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:40.950{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3160598D359D80C48D6816873D83B4,SHA256=3C1B8D9794014E7D80DE97EDCE19728A2279F5E1DC243E327883D76C0E5EF692,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:37.435{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-47550-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:40.377{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1735EB8BDC4C9E083B18423A9FBB488,SHA256=E48BB96E3452B441B07455831C43158C678E21CD74683C51594994C5271C8854,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:40.097{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:40.466{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:40.466{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:40.466{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:40.466{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:40.466{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:40.466{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:40.466{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:40.450{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:40.450{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:40.450{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:40.135{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:40.135{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:40.135{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:40.135{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:40.135{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:40.142{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71A2BBF1A02B223392228FBD7059E46C,SHA256=7D136A6403E57CE73E8CA76381CFE61A594058A0650815DC01EE73D64B18760F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:41.980{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4131F4DD857AA180D4B6A44648F504D4,SHA256=5EA339F8CCCBF571EF3E6F2E9FE10AD9AEDD13FC0AF81714AE62F37CF223AFF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:38.528{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-52420-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001295044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:38.494{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61863-false10.0.1.12-8000- 23542300x80000000000000001295043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:41.533{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341135A10E6A38AC22BC5D0B3FA0ABDB,SHA256=9D9DA1E284D82160465661E680FA32D46CC8E0C0B034261AB69271CAC03A2084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:41.267{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDAB879596A5EE99AC2B4DECC410F559,SHA256=984BA6B4313FFE60A3985ABE3580B5B55443C9A07F7B100C3889A3039F00EE27,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:39.639{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-57609-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:42.549{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22A013359379078A989EA1BA3028CBA,SHA256=57050C2F010406206DFB2C056C90ED08BD40A468317155F03D9713EDB965E0C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:42.345{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C053323FC6587947A27666ABCA48D9D,SHA256=FBD1F4C404F794816B08BECFC914D2478425D4D31BE26D3BF0802201D05318CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:43.595{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09C20113603632A022B3A0DEDAF02ED,SHA256=A34C115F2A4FE8BDCE82D8345B1ED288C5ED8391B4B825D597C97CE04A86E4BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:43.505{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local389-false10.0.1.15WIN-HOST-54259996- 354300x80000000000000001388659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:43.188{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59178-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001388658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:43.188{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59178-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001388657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:43.195{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6AC64407F8D728EE88DBDEE3E6FD35D,SHA256=2774AF2DD6A7EFDB8AE0F5F560FB0FA2187F3FFC85293952D2AAFBF97C2C1307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:43.195{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E40A0F82070638DF1683484230402DF,SHA256=F330E1A904D57F5DF4AE5257ECC0E928674A019F4E6E2BA89A8941DA6B4D2644,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:43.096{5EBD8912-E113-6152-E028-00000000FD01}5752ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Event Viewer\Settings.XmlMD5=884320A9B8F018F309F5A96107133F89,SHA256=50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:43.080{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5940F3184537C52DFC3591B4385E106E,SHA256=562BF4107E31A9BAB67663A1574E1BDD250D6020BEC140A72AEE5CD58BD431F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:43.580{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B6D05AE090DC43640608692F93D4CB0,SHA256=03309D373D75F88BDCCE73BB592A52C8153F2A70B8905746122BC35E719792D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:40.805{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-542.attackrange.local59996-false10.0.1.14-389- 354300x80000000000000001295054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:40.730{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-3531-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:44.721{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CBBCB8366303EAEE8031DE114CF8082,SHA256=BB741BD708D95C2867FC2CEC0848A98092194FDACD87F1E15716416C8091D7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:44.642{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4913B6A27725A71133142D3E4EDF1932,SHA256=624326C980A09685B41B148A44C82428EFBD0CC36F2A2A9A54C6DF522F8BCA0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:44.111{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E93696848F855B14C50AFB02E04787,SHA256=47E31DE29D66F8E17B8766DA808A8DD2C31820ECA14175B69FBBA9779A448C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:44.439{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8CBF726D1779157E9E0F57631BA86547,SHA256=6EB3126101684A0738B2295A2F3CB92EBE1956A418EF7BFBA01F9DDB8D80EDA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:45.830{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDB9DE13792C7584546302A7F95AF99,SHA256=4F6D7D1AE6A8630C9936D3D4774C93E25E699250698C123FCD633B29CD83E26F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:41.952{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-9044-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001388662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:45.128{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7930EE1B50C0AE26463160D08FBE7CB7,SHA256=A2FB2E12074C832EDC94B33A1585B3A3AFE7478CD2A0771725616DE40AAEB2CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:45.814{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83C7C03D00F633B06A9461CB9BA94C8F,SHA256=5EF365DDF5BA7E13BD60CFCD23B2381A4BCD72E9D4730072FE67DA72CB016C63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:46.924{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=737ED51E65AD25425C7B54447B8E3D68,SHA256=BFACF2ABBBA1D4CDF3191367D19C1616391C038FD5AA02DA64070B7221600460,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:43.094{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-13898-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:46.845{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8678C2240698963C738ED55DBF47A940,SHA256=A8D9B6B5B7143368910A6E475A823606D8DE25601825DD7D561D1CDE1FD945B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:46.193{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0307D225EC8BD2AC27E3E38F535E336,SHA256=F88A88097D16A8DCA1BFB214740A64A62CCE17754263C49DE5D0416BA9C4382F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:45.202{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001295062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:47.502{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:47.226{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC56141A969EB8DCA5317F883FE3A54,SHA256=BF2E1F11EE2886042C470CF5D9E754E5FCCDCDDA92BD309457B3A628BC3DC2A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:48.080{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00345A36B11123C3FB24BE1BD559BCB,SHA256=12D762008CB499835412568C6FD9F8BA1D38DB10EBCF75973E6AFF2BAB31B18C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:48.260{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E6FB90EA62C5134BD7151448BDE0E2,SHA256=2069611E0C1DBF485CE81E5EB2FD7BDDD3D9DAEC9B3B496D19F50448410DEEBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:48.017{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF53D3254B394B753FB0C4ECB53497A9,SHA256=15873E9129316BF78F80111DEDA4BCAB131D04632D3AD14BF5B0FE96905D20EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:48.007{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:49.236{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC4B04277A5ED2E8AD0CDA4873F58D9,SHA256=C7AFF90E390EB39EBA2539593135EA073D0A9BC78DBC31813BB61E69B11D45F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:45.296{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-23545-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001295067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:44.447{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61864-false10.0.1.12-8000- 354300x80000000000000001295066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:44.198{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-18506-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001388668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:49.290{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B174C0861D061BD65C8A72ACC86E2B38,SHA256=E6BF1EF11D5FD69316F60ECB4C8083C11D6BD3DACD6A0455E8E755DF9A99925F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:49.142{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B8056D917E4A1E11A89A4489163F5AB,SHA256=8E32A53181F76C03896CCCC5DE2055CB4B3E082F615897BDD506842E274EDE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:50.455{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAEB0751373D813FE403C0DECF4CF877,SHA256=314D5CD097A9DA6BBD5D87984BD1D0E6BC3CACAC5F0484A70AE03EE584CFA680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:50.674{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=73EC67B701D589739583008C43F5B563,SHA256=6CDDFF799DE8B3D140E75DFAA79360F7C051B438739C909C6E579690ED49B467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:50.674{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6ED970714B5723AFF9544E1B2B495A9B,SHA256=DA3237521DBC76993D77BA8D571D12EA2024CA8124BD901E076BB082E158CB9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:50.674{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=AB04E47AC4DF401D986619471A096F02,SHA256=BA910B3F6A17DCDEF9B57F4E6F60B78ED6CD558F1AE17CE9F2F02F3260688E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:50.674{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=9F8FC1BA432787C6091F28DE8F346537,SHA256=7FC2FC83BE8EB1CFE703E73EABA33CD19DA626342210752440B7665B42A2A854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:50.674{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=5F3854B757A8BDD00CD3021037D06BD4,SHA256=4BE611260067704D64BD4BF01F2A841DE0C9A80536F51B87543C4C6214A0DD03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:50.674{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=CDAD210ECFC255F14011F31FDF5BC092,SHA256=2A22E9359B9C983464EC4E6EDC620107014DE157463B99A2D58407386FE6B164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:50.674{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=D3148FAD383990E2B67505094F0A7F50,SHA256=3457783ADAE7F83F11D0364EC115D1B9766D87B23F17FA466A8B41E387223C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:50.358{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C443933AEFB4C674CFB6C5B267F207C,SHA256=E35E8F17DDD5768CE1B3D73B156CD3173DAC1EAF8E76C593C3BCF6FFAE4A0166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:50.392{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=120097C1E774132B7CB1FE361751AD52,SHA256=5578169609BD10B82BB7935842E7193A1FFFE7653270FD8E2A5972C6D6F821BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:46.403{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-28354-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001295070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:45.838{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61865-false10.0.1.12-8089- 354300x80000000000000001388669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:48.999{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59180-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001295076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:51.580{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B621DBBA2ED0FFFDA7FD93A097B23CE3,SHA256=63F05E3FCBDEED086F6679580C622195C86B18251C0BB65D4D6FB53CAFA6C21A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:51.389{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33334A1AFEA7FB4886F2C4F3F552BE2,SHA256=3B79932C7400D4B203382EB2DA715CBC4219197A8628557D76AFD985D5BA3A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:51.470{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=118A7B498E9DBE50F0D07C77DAF02B8B,SHA256=9F2961E639942E9F88E79A4CE8124628D43BE0DFE7B0F22E9627275AA6DBF6EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:47.674{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-33673-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001295079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:48.765{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-38509-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:52.580{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB36BECC2FB36E21C87843F2F972F790,SHA256=36AF47D0A8E57783C4E3CE14A1CE4220B55183DD6909B135399FC74D2CB2F409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:52.422{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367A011BB4E2A978AEC103499513CD6F,SHA256=2DC4DFC4220865CBC9962BD8D0D6C7B96B2C60162A965CFAE3DDE826F77D5408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:52.549{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C07C22E9F252ACBB0E0F3C26A95E8D4,SHA256=5064956BB6F7252DB5886AE7694A98B19AAF705CE2654535C4AA359C22D25DF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:51.181{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001295083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:49.842{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-43537-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001295082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:49.573{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61866-false10.0.1.12-8000- 23542300x80000000000000001295081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:53.627{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=635E801074A59A1B4685B8B8BCF36024,SHA256=46BA7CF3660317F38A5D3FC282A4682DD7F3D827CC7373E7C7A002122C5B4925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:53.595{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BC0A32F6DC5D573463C75E7E0A9C7A,SHA256=A18519144BC61DF199A2F73543766964457DD3B0780D4BFA1BABEB49F3CB704C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:53.440{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74933932FB25B024DD154EEBCEA30916,SHA256=877DCCDD432241002C35EB992C3FF3309357C6A4ADEF9E64DCE176005DFC4670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:54.720{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9E1DC61C7F37DC7695F5650ECC6DBB2,SHA256=E1D246BE184C5AEC2A46E4C0BCD1F92944D8DF451D08E31E520A6A89A490F81E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:50.933{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-48276-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:54.611{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F7992C77398DD2CD85A2C482D8C29C,SHA256=CC3F415008E3B5FB7AFC4090C06937BDD3CD007FEDC4F2DE690FB079A4034746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:54.486{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77641015AE410682F336A2D8C615B69A,SHA256=8FB10BCE40F1EB1E3127D6281AF209F2483F4097009D8096FB4B6347DA1DE206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:55.830{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F70944A6A920DA55157D4EE33775379,SHA256=B0FDBDF035C72B789D5A989D6E34557D94817CC05EE9834BFB18098500BFB106,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:52.014{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-52875-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:55.658{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A06333CAC4A3462C5DD377B3B30FBD,SHA256=77356487C6C9B826C41ADA539EF0B48F72B3CF0CD94EC9DD839FB8261E5E983A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:55.500{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=122B2F88FB35DB00C02734EBC77AFBAC,SHA256=E99A36389E4DC55E74E64D10AF002591EDDF7C87156D1B9EBBC5C455A1886416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:56.908{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A318934DD3A29B22CD714F92A4426BE5,SHA256=659C6A797441068CF4D169E57335CE480E9741FEAD2A4AAB48933C5D0C6EFD73,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:53.104{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-57734-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:56.674{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C473D5E150F3AB66257E9DA9F23B378,SHA256=FF60B84D394923518C3FA109F343DD7C80825510EF062A09F901874402EC9698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:56.501{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E6858A4DCAA8B02A07C9D9D16DD2BB9,SHA256=B4458688E50694B07101AE5F89E5038AD86C73BFB8F8767745C06FCBA0E76FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:57.986{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D56F4654F8BD6A6B98C137A4CBC68749,SHA256=C0483AFE3BF9E6F7DCB6170AEE8014EB7E4582F9DE155B15DFCF2CC4B15098E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:57.689{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A748DB75A80EB16A19A135B704A31B,SHA256=2413C6DF9870DF35057044F84ACC46528E88FB1EC738278DBA29C9FD10C1635D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:57.518{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21515F3F82751B92AC7396B8F198AC47,SHA256=6B6A95889FDB13ACFA92E2FAF93F7F19C078D0FE27AAAFF981565C8CE83DC7F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:57.076{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59182-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001295098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:55.354{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61867-false10.0.1.12-8000- 354300x80000000000000001295097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:55.280{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-8374-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001295096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:54.202{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-3722-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:58.693{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32133C6A02C77BD86D79AB1CD2F8B3CD,SHA256=EF3144B856F9CA215F88FC625C85BC760F8CC7025F23A47E859D45D5A22F49D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:58.536{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06393734C8077C6CD4B8FD7E365CD9D3,SHA256=CC2D0CAE5A1420A4AC8101CCCF89D5810F46F6785A6E4900BD31BC2B676A5474,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001388689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:32:58.383{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001388688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:32:58.368{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001388687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:32:58.368{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001388693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:59.551{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D372378F23564BD016DAD62BFCEF21,SHA256=739ECC11EE6E499C0021485561C72B4AD980AF939B0C034839E60300FC66DE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:59.709{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C54E6CF8D277D32A74AFFC5844D251,SHA256=118E81E7FFFF43A5150CE4CFCE2A2BC2A71AE48637A399E5A59FCA279293EC99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:59.131{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2F61C0ED9BDA030D84F75A78CDC5518,SHA256=3EA3174F19A1240FDDB1E0139384C096798A90F322F1C07E4E63E6FB73CC5BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:59.398{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4ED5B12461AEA5A5BD8D597E982FDC5B,SHA256=39FAC5057B5285FA69332B7797ED9B2BF345A2C192FF8533A969A39F13EDC27A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:59.398{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6AC64407F8D728EE88DBDEE3E6FD35D,SHA256=2774AF2DD6A7EFDB8AE0F5F560FB0FA2187F3FFC85293952D2AAFBF97C2C1307,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:00.781{5EBD8912-8CBF-6151-0D00-00000000FD01}9006692C:\Windows\system32\svchost.exe{5EBD8912-DFE3-6152-B928-00000000FD01}6988C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:00.781{5EBD8912-8CBF-6151-0D00-00000000FD01}9006692C:\Windows\system32\svchost.exe{5EBD8912-DFE3-6152-B928-00000000FD01}6988C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:00.781{5EBD8912-8CBF-6151-0D00-00000000FD01}9006692C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001388707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:00.696{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=A1ECB0F1FF2DA0DF21B5F53998E7E65F,SHA256=80F54119919C49E7C674E149FE5DDFE2F6483C544E312FB8A6AC52B418F76C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:00.696{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=FDE7630C36BF1CE6C71406CC8A6931B2,SHA256=785F91CB9CA57A4B1BE2E2701849C37E9C1C4478B8E64EDD4B93FA6A3CC3CC67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:00.696{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=9E8C93E67C7C7A70D0945654CD566040,SHA256=30ECBCA854618AE67FAAB3B2F66A5D968D428EED4FF6F25DB7EFE999602DA262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:00.696{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=67D3577053D44BC724DC76A71C9CC06A,SHA256=9AE00D31470D7BE11D0FEE89A02E293423DE892132A318012D622FE0C76E4402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:00.696{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=5097A36BC9AC62750FCF8A3F20FE22C4,SHA256=D82554023EBEF24B5435626E3C0F9A249609D55F61984A45B5839F7127049EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:00.696{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=83FC7A97436E0F462F0F08996E89D6FE,SHA256=F1C141D1ABBE6780DA2E8333D178D17C07C6CBFDB3E36E3EE2D8A45189F7F579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:00.696{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=229945D9563CE90D005AF4234224BF0E,SHA256=3A6310266B0A84882DAC2614A69C8D52CAA10EF06D79AF509B994627869CA56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:00.565{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B12B2DEE9B885076D55202608ED461,SHA256=7B4E2034D5BB36706FA7E8F0ABDB7BBE8EDE08B548EC868F0E6F6F67C8732D7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:57.517{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-18002-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001295128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:56.421{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-13296-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:00.725{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF68912F63D5930A71885C0559330AA,SHA256=6AA81AC615239A98ADB44FFF14AFFBD6954F2569584DE9FAEA578D1A6A893437,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:59.397{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59185-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001388698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:59.397{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59185-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001388697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:59.391{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59184-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001388696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:59.391{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59184-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001388695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:59.377{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59183-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001388694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:32:59.377{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local59183-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 13241300x80000000000000001295126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.678{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001295125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.678{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001295124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.678{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001295123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.678{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\FlagsDWORD (0x00000002) 13241300x80000000000000001295122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.678{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\TtlDWORD (0x000004b0) 13241300x80000000000000001295121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.678{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentPriUpdateToIpBinary Data 13241300x80000000000000001295120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.678{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentUpdateToIpBinary Data 13241300x80000000000000001295119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.678{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\DnsServersBinary Data 13241300x80000000000000001295118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.678{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\HostAddrsBinary Data 13241300x80000000000000001295117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.678{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\PrimaryDomainNameattackrange.local 13241300x80000000000000001295116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.678{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\AdapterDomainName(Empty) 13241300x80000000000000001295115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.678{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\Hostnamewin-host-542 13241300x80000000000000001295114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.662{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001295113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.662{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001295112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.662{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001295111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.662{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001295110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.662{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseTerminatesTimeDWORD (0x6152ef5c) 13241300x80000000000000001295109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.662{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\T2DWORD (0x6152ed9a) 13241300x80000000000000001295108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.662{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\T1DWORD (0x6152e854) 13241300x80000000000000001295107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.662{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseObtainedTimeDWORD (0x6152e14c) 13241300x80000000000000001295106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.662{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseDWORD (0x00000e10) 13241300x80000000000000001295105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.662{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpServer10.0.1.1 13241300x80000000000000001295104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.662{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001295103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.662{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpIPAddress10.0.1.15 13241300x80000000000000001295102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:00.662{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpInterfaceOptionsBinary Data 23542300x80000000000000001295101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:00.256{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=066BAE4BEE14D9D8FF495E54956A182B,SHA256=E4681AC7A47E4B8FCE5BDC7BF99B055208E8FDAF9ECD3AE56493CD6E6092509C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:01.618{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5441CC6D7B327264DD22F43A82B005E,SHA256=B5CA2CE4665A6B59DCF5F6A29496EB87A6EC6FC31F249D622DC49B6C500895C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:59.026{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c8a0:5491:e98:ffff-62776-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001295134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:59.026{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:e060:eede:318:987awin-host-542.attackrange.local62776-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000001295133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:59.014{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 354300x80000000000000001295132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:58.642{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-23401-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:01.728{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6C87D8C346C1A27C3AA36EDCC29B13,SHA256=339A9068BEA1E0A30E5F48BC9E810655F97F55DBF452EDCCFCD96310601D8354,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:00.277{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54250783- 23542300x80000000000000001295130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:01.385{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF7689334D4FE0B868881CCB91C28D9D,SHA256=0E43E8E9738AFDD1DE0D51E1BA7C4B8B8BFB52B4E98F8CB56E345521F858C373,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:32:59.774{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-29212-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:02.760{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB947F863DC614B7BD659A0BE6BF6ECA,SHA256=62B4ED0BE439768D81D0743DF045AAB4CF5C47FF285392FEBF116605039B3E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:02.633{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41FB1B9540FF520F273D6F1F5C59E98,SHA256=F01EE89ED2EA02149BE48F7BB4BFAD363F7B86E3377B968E084CDE891198A086,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:01.726{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54253860- 23542300x80000000000000001295136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:02.510{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E0FAEF0F45A2E1C0E0ECB89FA2C5E86,SHA256=2AA14571D2B8672DF495A32B91D1B0E15780CCE6FBEBFFFE86DFDFAAD42D5723,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:00.887{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-35021-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001295141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:00.393{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61868-false10.0.1.12-8000- 23542300x80000000000000001295140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:03.760{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D65F4EFC5FC3AAF0523CB549424AC07,SHA256=091CD9FBE11369D0C94B480BBABEC63C8CE18E84CE32D9871639B09F52E1FF0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:03.663{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE96B13832EC381E948EBB344FA1FAB9,SHA256=6F52A61B70A3908FAF5BA2929B7436F4087148C499A6516C54A5B1A66069B92D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:03.603{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AABF2DDB90E701A7E9429C1B6D196F0,SHA256=BB884A456DC7D4871DCA68AA7BDB8376F69D0355C03EED8C0F879965DE4620B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:02.103{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001388715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:01.729{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54258243- 354300x80000000000000001295145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:01.975{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-41143-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:04.775{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC45F7C46FED5146E3E9D3E6F058CDDC,SHA256=706B8E737613F7D150C317088A79CD89663703692C027C0EEB2C04CF909C512C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:04.694{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6C9DE7DEE54D94F751ED8F4DD7688E,SHA256=198AD460A02F966B246738DF04D9703E67443D4D4306168E9C31D6018C105559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:04.681{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD0B0C821B486642102FFB1A9FAABCD8,SHA256=C943A0812822BFCFD2015F8C9913F1BD57A97483E8328A2A107D9ACBAADA2FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:05.775{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84AC65A8A7FAF57EFBC511D9C30C9A2C,SHA256=532B3D1FF62913D73C15B70BE6746FB4375D3406A930FDBDEFE4C5AE36199678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:05.710{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D774F1E332A8D6F3D3CA1008D54CC3E,SHA256=B35A210569AB34D34A44A4B1AC5D0ADDFC3B194DD487353CF9422478C979B7D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:05.760{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62B1C587200C9A05D750DB390C14BE00,SHA256=5B2D301081C9259AB334749C6D05CAE26DC8F5E6B442558CBD1C7CCA07BD4C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:06.838{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFD9227A4D15405DD9BE9C5177BE055B,SHA256=4686B12E164EE13A8E10F394C18BEE97B9B83D6EFB31BD5444A63EAA0710D00F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:06.775{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD091DCA60AC0DEDD45C202B8C4E252D,SHA256=8868385FF68FA075901EA2AFC515B4C5235DFDFA597956D47C1FD4CD6C897CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:06.729{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBB07E826B425F3D6BBFCA7DF270097,SHA256=6F8E6F08A2E0C5529741ADFBE32C6E13FBB5D0754845C92B0B0EE9F866B7E653,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:06.330{5EBD8912-8CBF-6151-0D00-00000000FD01}9006692C:\Windows\system32\svchost.exe{5EBD8912-8CBF-6151-0C00-00000000FD01}844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001388723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:07.759{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ACAA09F4D23E39442D1AD3E5A9A1A61,SHA256=271F782D0240AAE77271AE6C7D850CAA9C4A861DDE6AF351CEE85F13EA514C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:07.963{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1A8EF207EDB656B3C8861B5E700573C,SHA256=F8FBE7AF09F86848138EEF8B983A51B9F889B33EFF4D3BD5DAB9415196736EAC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001295152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-28 09:33:07.556{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b44b-0xd852cafe) 354300x80000000000000001295151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:04.132{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-53773-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001295150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:03.053{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-47375-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001388722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:07.253{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:08.774{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3753CD93FA428B31787C0D35926AF763,SHA256=1EDFA3C0C7206E6C1C92520DE3FB3C13C2EDCED4DC096B796634B022C0D0C748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:08.010{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF076CE91D7603129D3293118ADD470B,SHA256=850293A80848E13A642F2544132BF50C5473F58926ED6D3611C2A0F7D05606F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:08.012{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=269FE61A4CADFE625DA91697CC00734C,SHA256=B45101C7F80B226E82CC5682D8231C72526425A545E6C22B49FA822BAC61323E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:08.012{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=F8DAAED454D6774BB910B7E38313D174,SHA256=C4D575151EDE260D96802B96797E13F1B4327DAD83C3309437784724DAA730C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:08.012{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=8E71882AEBF1CA2E18F3799B1DDBF230,SHA256=0E2639A23CBC71512AFBDCAFA7849D78CF68438729DE9E9E56448ED4770F8D2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:08.012{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=7BB0D1D935BBFC251B93B6CFF343E866,SHA256=E8953CD7D8CEEDC8EADC998BFBD05B5EDA9406B4B2A049EFBEFE7624E596F3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:08.011{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=063C942C3CE57E5EC26C531DAA5DD53E,SHA256=C5972400E7332E767A186A3FBDAEE298A8D93F7B909F00B965BDB4234A3829FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:08.009{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=2ADE2E4C540EF03DBFDA615F0698C7CA,SHA256=AFF93A2D95821D3D69C40F2CCDB993A3008BF7FE9FE328ABDEFE8412C2DBB753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:08.007{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=5811DDEDBF30246A3903A48948C023DC,SHA256=6F53F0AAD5BAE211DEE07B583876C3AE3C2B5A8B4AA58118E622D6DB4E192894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:09.788{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E259DB724AAAE31F985BCE204C893F,SHA256=95D4AB725013D88C854BAD81753A0A1667268653FF6E96B8E18C929927840210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:09.244{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60CA69C52DA2930701138154DCA045D,SHA256=1158FDE10BFA8D6B74D6C035EA6CE1DD8C08BC962E5FD7C9BDAECACC42A9E0A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:05.892{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse169.254.169.123-123ntp 354300x80000000000000001295157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:05.580{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61869-false10.0.1.12-8000- 354300x80000000000000001295156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:05.225{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-1596-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:09.041{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=741FF8FE14BD25717891E328610C0AC7,SHA256=54F08CC2BC8C827EF4D23922AAECEEE9CC5750ADF1DCB0B3E8234F420A99E816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.956{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3792D8FD4F712AF13208CB7DFA416CE2,SHA256=6BA3DC1C4F931692717305ABD09BD0409C8BBE6B13C5750A9FC24758958EB960,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.872{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E156-6152-E928-00000000FD01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.872{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.872{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.872{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.872{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.872{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-E156-6152-E928-00000000FD01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.872{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E156-6152-E928-00000000FD01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.873{5EBD8912-E156-6152-E928-00000000FD01}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001388742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.825{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F3C37641D81C5CDABDE8A808F14D42F,SHA256=65F9986A7AAB10EECC74D29B35DED287E62292470257A512B3E73FCD2974E80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:10.479{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B775B347F445F4E1B009F99693992A46,SHA256=C1ED53E9C9FC92915DF3B5830D4CABA23915C37852480FD1446D4E6180447C24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.341{5EBD8912-E156-6152-E828-00000000FD01}60246812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.188{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E156-6152-E828-00000000FD01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.188{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.188{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.188{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.188{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.188{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E156-6152-E828-00000000FD01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.188{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E156-6152-E828-00000000FD01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:10.189{5EBD8912-E156-6152-E828-00000000FD01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001295161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:06.335{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-8267-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:10.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA5E7E3B7EDDD2152ABE9FFA139DEE6F,SHA256=99CC17077C0C25797E6481C1024596352A6EA70AE68E997BD66DC5A276272D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:11.841{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E2A8149F319547B87399E04B54072E,SHA256=021B9CD206DB0ADFF235D04C7E603A0B1597313C9422E0B534F536B752945F92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001295193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.963{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E157-6152-D5A1-00000000FD01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.963{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.963{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.963{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.963{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.963{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.963{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.963{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.963{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.963{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.963{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-E157-6152-D5A1-00000000FD01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001295182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.963{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E157-6152-D5A1-00000000FD01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001295181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.948{69CF5F33-E157-6152-D5A1-00000000FD01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001295180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.760{69CF5F33-E157-6152-D4A1-00000000FD01}18723340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001295179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.713{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5785C6CB8BB8E7B7F8AF71E35950254,SHA256=0088E855C11E26389161F3D110EAA6ED49088785C21C7BD68B9A26B48C531C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.713{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CC8C27C9EFA0399C18F21DC17D0ED0,SHA256=6C7E30322FF36D0200CA13C3E0E39654F8BC8902365B14CE7367CC24526B3C3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:11.225{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CD7C867FB1F9F967D4ED6F5C964C66C,SHA256=9235776A56E368098E4B002982BA142FDC440C9AD014549E87B6C1BB07E8CD1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:11.225{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4ED5B12461AEA5A5BD8D597E982FDC5B,SHA256=39FAC5057B5285FA69332B7797ED9B2BF345A2C192FF8533A969A39F13EDC27A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001295177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.354{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E157-6152-D4A1-00000000FD01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.338{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-E157-6152-D4A1-00000000FD01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001295168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.338{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E157-6152-D4A1-00000000FD01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001295165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.323{69CF5F33-E157-6152-D4A1-00000000FD01}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001295164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF35DAC27C34981320E1D77B113835C3,SHA256=DD48A9CE91C3468BCDFD36C1F5CCE389258CFD9EAC8E069EB727316CC3BC4BF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:07.419{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-14355-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:12.901{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5DB5A52A52DBF00A4A9ACCF88FE8D67,SHA256=464771C28B2CE202D3EA0FFC20B71BE8B214D710673DE7EB3A2E75A6F5FF184B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:12.910{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C877EA3EE1751222955528D834108D,SHA256=A05B6847C6C0749E4DD84C04F8358B4A6AB623F5E32DE7AE3F3BEB368079A1BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:12.825{5EBD8912-E158-6152-EA28-00000000FD01}28722892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:12.656{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E158-6152-EA28-00000000FD01}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:12.656{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:12.656{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:12.656{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:12.656{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:12.656{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-E158-6152-EA28-00000000FD01}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:12.656{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E158-6152-EA28-00000000FD01}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:12.657{5EBD8912-E158-6152-EA28-00000000FD01}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001388755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:11.841{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-8000-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001295209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:12.651{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E158-6152-D6A1-00000000FD01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:12.651{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:12.651{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:12.651{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:12.651{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:12.651{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:12.651{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:12.651{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:12.651{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:12.651{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:12.651{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-E158-6152-D6A1-00000000FD01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001295198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:12.651{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E158-6152-D6A1-00000000FD01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001295197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:12.636{69CF5F33-E158-6152-D6A1-00000000FD01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001295196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:12.541{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99AF9E05306AAB9DCAC66EF638B81085,SHA256=FCCDC516CABA53351F55D60C43428B5A396C4B3A57DA5B0B6CD39483CCA8F5B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:08.521{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-20889-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001295194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:12.291{69CF5F33-E157-6152-D5A1-00000000FD01}2636324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001388778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:13.957{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950E0C9C9B3DA7116F13171C3808FC94,SHA256=C96C49AF041A9BB36E6903C94A7E87E8D2BE4E0C6F0A78293B2CC339C3FE8000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:13.604{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6F8DEB832DBB0DECBE1425A726D96DA,SHA256=C3E09717D70C790527C300A5CBAED97B4149FB7FF4F4CE51F2A38C28623CEB09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001295224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:13.494{69CF5F33-E159-6152-D7A1-00000000FD01}1083356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:13.338{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E159-6152-D7A1-00000000FD01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:13.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:13.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:13.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:13.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:13.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:13.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:13.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:13.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:13.338{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:13.338{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-E159-6152-D7A1-00000000FD01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001295212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:13.338{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E159-6152-D7A1-00000000FD01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001295211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:13.324{69CF5F33-E159-6152-D7A1-00000000FD01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001388777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:13.210{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001388776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:13.140{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-16791-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:11.879{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-8252-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001388774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:13.326{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E159-6152-EB28-00000000FD01}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:13.326{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:13.326{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:13.326{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:13.326{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:13.326{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-E159-6152-EB28-00000000FD01}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:13.326{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E159-6152-EB28-00000000FD01}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:13.327{5EBD8912-E159-6152-EB28-00000000FD01}6184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001388766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:13.273{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CD7C867FB1F9F967D4ED6F5C964C66C,SHA256=9235776A56E368098E4B002982BA142FDC440C9AD014549E87B6C1BB07E8CD1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:14.987{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832FE01AEA95C764C68E0377C91214B8,SHA256=1638AA3E89EE2CD12201EE6C9576429ED7DCB38F0E9B60BC578BAA2C4FBC5812,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001295257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.948{69CF5F33-E15A-6152-D9A1-00000000FD01}18683656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001295256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.807{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5CAFF9DC67E9D174CB51E4CE3624395,SHA256=4EDC2E4A26B522A54B1D6C55731B8C4F614ED0AE3C7E5C64BEB2A780DEB5658C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001295255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.729{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E15A-6152-D9A1-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.729{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.729{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.729{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.729{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.729{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.729{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.729{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.729{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.729{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-E15A-6152-D9A1-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001295245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.729{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.729{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E15A-6152-D9A1-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001295243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.714{69CF5F33-E15A-6152-D9A1-00000000FD01}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001295242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:11.439{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61870-false10.0.1.12-8000- 354300x80000000000000001295241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:10.817{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-34017-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001295240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:09.688{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-27374-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001295239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.057{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E15A-6152-D8A1-00000000FD01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.041{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.041{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.041{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.041{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.041{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.041{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.041{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.041{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.041{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.041{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-E15A-6152-D8A1-00000000FD01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001295228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.041{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E15A-6152-D8A1-00000000FD01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001295227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.013{69CF5F33-E15A-6152-D8A1-00000000FD01}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001295226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.010{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23132240691544A8EBE0D37A2EE62786,SHA256=BE093B4E165307B50B2DEF6230B0B917F2E3813E5A64A7473EEFA9E06FC7FE2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:14.317{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-24316-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:14.341{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B7AFCC29E155558711E9701FB803434,SHA256=19E189560990679964466DB592E340C1498D321204C33EF24206BB876C0A8454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:15.932{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=932566A6648ED3C75E3CEFF01352058B,SHA256=1B4B4D0640C72859E9D474257F30945D7C701861B4AFDECC4DD1B0FFEF6259D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:12.005{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-40887-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:15.213{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0CB488500EDBE6200132D87B07ABA5,SHA256=31A46070BEBB14BE03AA0D18962D8A9C860D12BB4A186A0B745DD03A5AFB9B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:15.555{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=381943AF7D8EE4D5595A81E775A32407,SHA256=BA2CD4ED450F540DBB78231A09867B9CFDF87A4999E184CDD4491DB62C9EDB21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:13.195{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-47619-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:16.448{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4198057CFA77A437772303479E12D957,SHA256=26BAE659143950DA23A297D7811DAB1D9C33E4A9548586FAB31CAF56E231611C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:16.785{5EBD8912-E15C-6152-EC28-00000000FD01}71044588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001388793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:16.638{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F5947F31181A76E9B5C85023A59D6AE,SHA256=6584ABA0102A303C30A1EF52437E7C93DAEB1A297F97DAFE493B8CF969BFB35A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:15.506{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-32673-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001388791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:16.585{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E15C-6152-EC28-00000000FD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:16.585{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:16.585{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:16.585{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:16.569{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:16.569{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E15C-6152-EC28-00000000FD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:16.569{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E15C-6152-EC28-00000000FD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:16.570{5EBD8912-E15C-6152-EC28-00000000FD01}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001388783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:16.038{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA110B3C71753E3B54EE53873C949B8,SHA256=897F220851B7B6A3A834B805B3F1795AEF2B0EFFA5B3BFF92124A696585BCCBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:14.308{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-54197-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:17.682{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001B5AACE89EDCD92C5F1AD477A71FAB,SHA256=4342BA4DD327E94543AC98625A392E6879784A745F1FA44FDD0BEF58F7C98B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:17.854{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F980D7EF1610BCE711827669E656652B,SHA256=EAEADE6B5AF28C3C01B8DE2C5B039A25461F5D42B291E80ABF6F636DCF89BA98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:16.584{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-40251-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001388804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:17.285{5EBD8912-E15D-6152-ED28-00000000FD01}60045556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:17.107{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E15D-6152-ED28-00000000FD01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:17.107{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:17.107{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:17.107{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:17.107{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:17.107{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E15D-6152-ED28-00000000FD01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:17.107{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E15D-6152-ED28-00000000FD01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:17.102{5EBD8912-E15D-6152-ED28-00000000FD01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001388795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:17.054{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FA91089A7A9980CD283DB4EF9727DD,SHA256=B49210A49F2A34309191D031932473FDD8EC1BA39BBA316EEF35C5CD43FC241F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:17.026{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AC644653825688B22A8A09501D9A9E9,SHA256=D4237E3378E25CE1CE4BA31AE48CBD6BBFD4892684E2CF614CF2CF60DD006508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:18.683{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D47AF2ECAD8C4FC4721F097BD07C13,SHA256=8BC099A59115707DD3FBC97FC7D1CA22F9639D3BAFB7BB0D5D7E6505CE1F3497,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:18.249{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001388815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:17.690{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-48058-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:18.069{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7BF26D6B667A258AFABAE774FA5077,SHA256=36B8846CAE3EB20D5917B53BCE817869B1D20301B6FA1EC7866844A7EE590225,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:15.398{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-1633-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:18.104{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D299665026480C7891B58B097629C87E,SHA256=C91E8711DD086F8364CB663881ADE232B8C2AD5A163CD87C1BBBDD44C3236B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:18.038{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=1CB8520009F0BBFF2976257B3409FFEA,SHA256=67D2E0EAFD09CB0BB2D96E855978E92206012E680D8BB40A48F34E38122F83F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:18.038{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=F11A6832D410C62D13AB944F0F5E630D,SHA256=4C98B1A86220933A0B5BBAE8C4C6C52EC979C3F960127D1BAE0B58F0CBB84090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:18.038{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=79DB160EFC33A50B39901B43C999A6DF,SHA256=BE147C5DD24FE3B8A7315149AC2B4F0BBE03CA7AE8CEF2D6002FCD7DCA6D8F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:18.038{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=42D4A0F778C75B336BB325B9F0C8316A,SHA256=3B69B58198FB8251CA2F6A4765C64DF367EDBF53670B41F62405E07EE8D71403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:18.038{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=5BF04B84C56B526822B2E7E881B189D6,SHA256=D21F696C17948C4F8FB00DC9AFFFC38231BADE57E74DC2374235ACA23F1F9BB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:18.038{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=BC13DB71E7737AAD39642811BE3CCC87,SHA256=C33F522089B8BC84302BEB3C13358BDE33400632679233874D0AB6209D79C159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:18.038{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=CB434D9982A9C2AD1F47FEA1C8EF4853,SHA256=F08A3E5AF8033D900AF669B215ADCEF97EA11E3B6A197AADAD00270CAADD1C86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:19.746{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6859BABAA2353F659428CD160E6F95A3,SHA256=8B0518D4B026B9C8C54867561BC1AB17F45B298E65C67E471DB6C39A9CF1B2C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001388827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:19.952{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E15F-6152-EE28-00000000FD01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:19.952{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:19.952{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:19.952{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:19.952{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001388822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:19.952{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-E15F-6152-EE28-00000000FD01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001388821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:19.952{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E15F-6152-EE28-00000000FD01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001388820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:19.953{5EBD8912-E15F-6152-EE28-00000000FD01}6940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001388819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:18.898{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-55724-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:19.085{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9EA2BE8333C44E2236258135CF29FF5,SHA256=41421EB528B183ABF8198F4FFFCBF7EC6A8F9A1C6CD5D815B498BF8CC0486C75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:16.564{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61871-false10.0.1.12-8000- 354300x80000000000000001295270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:16.475{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-8301-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:19.168{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62B89C3BDF949CF609CE00AD4A5DF009,SHA256=24925B445ED139A9A410E0A4C7E1F0AC0046614CD110EACFAC548D4AB6FF795B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:19.021{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECF2DBB3016B20F6E0BE8F89D0067704,SHA256=7197772CFE475190F5F592A0F27DEF695E8E192E4825D4DDEDE58ED510E8756E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:20.918{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C590A5CE72475AA0714BB4D16B115734,SHA256=233F8AD0191C9A943E9F085F1DFFA761A4FE9070C3EE1D87B5C60E85DD86D784,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:20.077{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-4423-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:20.452{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDFC9F1AAE987601C7A782BB6336F14F,SHA256=955AAC8CB6EDDA762F81F3866378DFA2009302AF8913B10816EDDD67CE9C3726,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001388829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-28 09:33:20.221{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b44b-0xdfdf3318) 23542300x80000000000000001388828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:20.106{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE612C05F40D95454556BDDA381A9B4,SHA256=02AEB5FD71A0577FFDE3A79687036072F0793C96F9551998E170D2D277EB9692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:20.262{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5FEB4D7071BCD5B1D6EC7D9E63771CC,SHA256=9D5BC07059CBA0B55AE2C8F3B0F8FC6FAE34255BBC0A38CBDFE8BF548D5A95B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:21.934{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D9D9DCAB45A9D60992B92E22B9AFAA,SHA256=278DC427E87823AE937D8E250AB310BEC4610CEF921E2E3010E688F7B4BB8160,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:21.207{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x80000000000000001388833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:21.536{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6F5D2F4201739204948A17E905CD46C,SHA256=CDECBD8F026150A284CEDC36576FED5658E07B35D16D07351F6EDB1640E58571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:21.152{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C219B95F95B8EC3CC8D740A35788036A,SHA256=42D5B830D7E8137B5AF1726801F6288501D57B0197A7AC0E52CA581F5097E586,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:18.633{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-21871-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001295276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:17.554{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-15136-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:21.340{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F90320B62A56C4E9D191EC699C84D15,SHA256=AEDFFCC8B6304F6C975BBECB1B97F9C23485F17723CBDB952AB480E9242C3BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:22.949{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5CA207E37A6493D218EDD9F86E2758,SHA256=D1D17C559EABD0E0B2BFBE6752F9DF631FC44EAAD7A763DD995297F58E9D3FAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:22.565{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-21641-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:21.482{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-13753-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:22.635{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5CB2380C5B4C1E85EE9F3073EB22EA6,SHA256=9EBA8C6725E7F4F33D3FC213F9B75B89DD03A00213F3110A78306B7E8B1BD94B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:22.182{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63C01D96202BCD723F50F41F56E41F8,SHA256=EFBBC03E9A9E451CD3842A2CE5B7E4874A06BE05CA92F44CD74DD437CEF62AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:22.512{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F45F0A8EA94A0159DA95D930AE15A7DB,SHA256=0FBE529CE0E0AE6D63243A4E064D9D0C294CC5E87DF8F45EDE400AA6F944CE23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001295291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:22.246{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E162-6152-DAA1-00000000FD01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:22.246{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:22.246{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:22.246{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:22.246{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:22.246{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:22.246{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:22.246{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:22.246{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:22.246{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:22.246{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-E162-6152-DAA1-00000000FD01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001295280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:22.246{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E162-6152-DAA1-00000000FD01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001295279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:22.231{69CF5F33-E162-6152-DAA1-00000000FD01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001295295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:23.965{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B2F43E191E496C0E8CAA57041D04FD,SHA256=DBF65D3C263B716B5D7DECD2B0538F866C54438C21471F358FA53ABDFC44FB8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:22.741{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse2.57.122.204-15615-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:23.718{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2609AA45DDB9D35BFB0DB6D19DF83310,SHA256=E30C38D788D1DB0D9E4060DEEE9DD50FC81433A0B15815160290AD36AAE55C31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:23.219{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7342682C48FDB279B43DF30B3528181,SHA256=0834D86D142F4D1B5CE7811DAA3A693F942BCA8E07D890721C4CB7E75A36F790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:23.637{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61D3F04CFEC3E76335E4D237B155632A,SHA256=0A75EB47F5DDBE1DAF1ADA1F4CE17E436F0B4B823A6C684DEE9A613D518654E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:24.173{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001388843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:23.664{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28844-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:24.249{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7DAFBA2E7A4A5FDAF3997DC6F2A3F6,SHA256=D593F862388290821F05D8206654F5C085CC359076437AB70327A526A0C9485C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:24.981{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=471773ED745906AA9772EA600C5AF925,SHA256=656346E574360DDAA9F5571B0B13FF00DC7F0E8B3A9304FE76C4B88C67DA41BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:20.897{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-35506-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001295296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:19.808{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-28882-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001388847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:24.904{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-36954-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:25.279{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A26DFDE5AF95C6325897470BF4D8799,SHA256=455DD17817FCCCD5EFB213CA50B60D19E0C1A831D4FB480702FBDF9A481BEE9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:25.215{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308FF01574A0B5BBE559F7A0386DD56C,SHA256=A6A99F4B4F4B4332E0B3062E4DFF625D8D7EE46EDC539C1A5E53879F6569E29F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:25.179{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C2368AE4D98A0EFFDA377B0ADE63FAE,SHA256=1DAF106322026E0CB5A198E1357E9FD2F57367EDFF35C56706D16710A7CE08A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:22.032{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.10-42370-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:26.262{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29BBC3CCCE5C1D0D313D97EBF68464F4,SHA256=4EF0F91D9A1C8D4785F05BC08E305C722168DD4F166220612442EA15C926FD9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:26.279{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2C00720FB28206A91073B3438FEA0C,SHA256=0CD8078E329450FA07F792AAEBD847EF13E10AA7E7B4B08260F8CFAF70E61C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:26.248{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9748AB31D49A2D349CC46FCA54F114C,SHA256=134D951766602D6D36C5B8A268698AA48B3D5C7BEE42117CFEF5EFF90AA2C667,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:22.456{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61872-false10.0.1.12-8000- 23542300x80000000000000001295304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:27.482{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82724A0A06B8ABEA30B0C6FDFA50DE7,SHA256=F5F75EC355264E8ABB4300F5D4261D1A8B9F185F5FF0563CC4AE6A59CE13669D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:27.559{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-53608-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:26.208{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-45207-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:27.678{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDABF81E6C6A8B81A86DA740AB9F6339,SHA256=ABF30FC5162E29912FC81313CA849E92BC3C20EB56086DC96D959BE876D9D00C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:27.300{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F4E577EC22ACED0B3DBB0DE44C6E22,SHA256=B2312A9A7E54D9B752AA287938D3282CCD7AB06F76CD73D7981111288654BDB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:27.172{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5733MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:28.484{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EA100228E48F8E819DBC411F5D63B8,SHA256=4BB103F5650E929AA34FE00C9F9941CBF5958340E71DAD8AC769177C79392D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:28.799{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DED1578A6AF0E8B3F84206D88EB52D2B,SHA256=A2DCB54A35443CD420BB0E9E015C7D755AD40C677D3F39773247A4DDA6EBA093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:28.315{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2E92375AEC8E1F3074344C6376257C,SHA256=27895CAB449FA31049350072702047D82E5A0A4FE97A8E3D3E974C4268054280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:28.170{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5734MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:29.490{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441CB224729A2261B15C6FDA275F45A0,SHA256=244E0443142FA06021A87A3068BBF43A7C656F40A20B0A3B07B632E120393113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:29.976{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80C8CA5FEECD1561035ACE94E8E00DB7,SHA256=9B7D49172C9CE2E15D26FA395540EDD5A1B5CE32747DB788C57D74417C9AB476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:29.345{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ACD3B11E8C7BD11514589FB620A158F,SHA256=4F9E2453CA40D6E61889F7B382FA446DEA508CE1F65A199244235BD054E866C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:28.721{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-3163-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001295308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:30.677{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381342683106A69A3212437D480958AF,SHA256=5C9C13B4320DC008FB37BBA3F4098C5DB213496B19DDD4947EA677E7D8C54363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:30.365{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A2FB962D1BFA0139D50EF6B8D6E007,SHA256=363F8CE26EC8EAA5B512172E0867C1F9B942FDA1D666FE25CB94F8B531073260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:30.363{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1416MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:29.849{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-11263-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:29.186{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001295310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:31.834{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36F22CCFC3821AF3C8A7E770DA2254A,SHA256=0E05007DD7394F46E5ED2EBB2C3D4EDE585FFFBD37FE34927FC108B0B92B57AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:31.389{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB8F61BA37F9B93D58FC0CFC478877A,SHA256=8A7BD8473739814084BE23DC82D8D26C7FA27E7F45B223EAB32470B6CBC3BC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:31.377{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1417MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:27.589{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61873-false10.0.1.12-8000- 23542300x80000000000000001388863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:31.076{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AE9FBC0548B99AFCCF3C1C3FC617C1A,SHA256=E6052193EE14C7131DA23A47E2BA0BA2C115FEACC44C5436D64F4CF4BF0741AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:32.865{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B32068C8B95B39629888A4185B3D300,SHA256=8E52047823515A7FB2D4BFC7C784F4D5B43CE99BCD8B35BC05FBBB69C2B8F78C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:32.394{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E470223954AA3B82C4D534FD7F2739,SHA256=E0876342049C4335AE7CE2E2DAEFB941DD47675D413DA8F6C184118CA2FB9877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:32.159{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF6D1E276FB81282EC5AA72EED3E5B78,SHA256=AE4FF10D86135E3BE7A7F248D4BFE0BAF0AD73B3FF8D9CF8CD5F37AA90AD362B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:33.881{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D17548E398EBD54D676FE1B6119C37,SHA256=57A8F37680ACAF90FED3853B31491C6EBD81DD820403D70322F0521D31A15EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:33.526{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92391C8B4BBDBD130FE8B530F4B8426D,SHA256=FBEE99E951FCB69C46E0F0D685321A9B67D9BFC3BBEE1ED5CF5B9069EAC928CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:33.411{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676BA29F246D7CB08DE6419D73352724,SHA256=8EF4236AD3E26D5F30EFB603655F5F1928B8AD69A4D9985F0A23CEFA10DD9F08,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:32.712{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-46310-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:32.631{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-45958-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:32.105{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-26459-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:31.010{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-19093-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001295313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:34.896{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67601CE08B241557B0B6EDBEDFBFC11B,SHA256=E92E16C9836FEB5FC09749E39E34F776E992BB520589CB5F7E8F8BDB052FE755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:34.656{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B349B8AD8DEE43AE29068E6D0C497957,SHA256=2BB9543984DCBD60F560346D2C50034EC4B70611D93034C9D1D95BC1DC8A4295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:34.425{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38468FFDED7FC70D117691D30483BE06,SHA256=8C0E7866E09C993346EDB41E4A2B103979FE166B2E03204ECEFD34291B48364B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:33.362{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-34322-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001295314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:35.912{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BCF1D3775F3B96C7A05C180E137272,SHA256=5BB80A907FF6ABEA9DB38251AD1F315D3A3742F4D53BDB9EA0CD0D4139360DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:35.671{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF9AE3E7A45900E1C8629D8015FD96C4,SHA256=EAB7C4F0C18BBF5F4D8105B1A307D3A74974922C59164FFDA13637740E562A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:35.440{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0A83D8A3F77B2FEA06F12464C9C7E3,SHA256=8F26CEA176B6FDB2C2FCF24A9AE530006C887AAF2E4586EDD005698AE25F2F2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:34.142{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-53330-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001295315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:36.928{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D3C43E23346F8CD603BF939A93E3EF,SHA256=04E687AF2F901469761D619E7859555978E45B085498898896A652FB1469C720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:36.923{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C549E37BD5E5D29B4AD437D110847AA2,SHA256=7E0475CD6B2CCF8595AB6490CB5C9CB2DEAC9098A4EA507372B228B7D05951D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:36.470{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B651A0D9B4E20AD7876BBA7C017876,SHA256=58B1E8A223C029A6B67952B24818717A97A4D422BA1027A6954D82750692D7B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:35.454{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-1072-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:35.080{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59192-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001388880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:34.570{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-43038-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001295317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:37.943{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FABE727ECE81FC98822EF243C71E55F,SHA256=60695CFDD7EE1997AA528410003AE014B3661A7524FCAF6D8A3CF046681E18E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:37.489{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA1D2DCA13BEE3232CE9ED2AFB9FECF,SHA256=C1D9B7F0C5F799D61AB711B98492703AEA6B65A86BB2D0733CC9309DE93A50EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:33.558{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61874-false10.0.1.12-8000- 354300x80000000000000001388887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:36.854{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-58676-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:36.755{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-8431-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:35.703{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-51617-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:38.506{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E2D835F4F28B9ACAC8FF39AD3BC1DB,SHA256=46EBA9CBB9A81D52EDF0BE67846DFE11D91BA0B3569AE98610D9565BD1E36D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:38.038{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99A158C88EBE1A2B3A7251698DE40C32,SHA256=EACF86A4AD47DD465F0D5BEFBAD5E9B86CF909DB04174172160DF36C6A2B3399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:39.520{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCBE1A882B7EBE2AA3023C8FF3243CC,SHA256=2CE8F582514793CE8694647FB46DFBBEC1CAACB2D020261719CD29A6230BF56A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:39.095{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9D9854A35820B303BA561B93E20828,SHA256=4B43F6E45210A8F2A36FE83583AA4F1D72FBFE4C5A034CF88A42441A128A6B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:39.405{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48880403A3AD95579ED64246F2AF7345,SHA256=D0D45565DC5BA3E9D5838432BCE6991132DB0070D23BF5FC1F9EDD6EAAEDF631,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:38.007{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-15314-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:37.983{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-7604-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:40.685{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82DD55B5167C115E8295A29803F6EEA8,SHA256=E1AEAD2BE83C025DB85B8664BD39CAADC089A032B720E38D1E4A8676269E0CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:40.550{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E809B0E8ED9371F671C8FE3EF28B1AFE,SHA256=9AABCD7B46F18BA426023AD053573FE1BEAE3DDC0E80E215DDF9DA4864FD25A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:40.111{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117785B6BBEAA96137940AF28058E79A,SHA256=F1CEC66120E7AF15CEF3F917DAC269AB72130799068C2675D1EA0C6691C2A450,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:39.253{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-21731-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:41.933{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AB31FC01C51F44053C2598AE6B6808E,SHA256=5020EDAB395F3A4438AA9019D51760AB24FE849BEB1917E9FE44189A9FD981B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:41.565{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9D7932A4C39FC4C5566B58B5A3FFE1,SHA256=78116CE2169F0C8E4600935BD86A6A9B472BDE2AF04F362F0A074AD4BB5C84E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:41.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0C5BF68E5501411D5021758D81765C,SHA256=B74E6A41051AE6DA2C383116A6563694C47359B084B265597E5D3551979C790B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:40.505{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-28427-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:40.260{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59193-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001388898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:39.446{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-16709-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:42.601{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9E6C2653674AA9D92C9BE7BED906F6,SHA256=28C1A5ADCD26BD3C5E4F809BA11DAD18A7FB8AF4FA9B6FCC8256D4A1B508B4F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:39.476{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61875-false10.0.1.12-8000- 23542300x80000000000000001295321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:42.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529E7A8816A4B389C167E1E71482AFA4,SHA256=49089723CC6F47FF4EBCE9D9B5E60661E98A984F7DBB47EBC2EDDDDBE67C7163,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:41.891{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-33426-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:41.766{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-35389-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:40.781{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-26042-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:43.616{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DEB4225F7E62427EBA9E7067F07B750,SHA256=323EB808DDB5CC54A75B1768BC57BC8780F60A2BAC149BAE0E1E43A518F969AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:43.143{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0A081D3594ABBCDC40F23655204545,SHA256=23474B14B9D32EA2CA996B71C195B964E0E03F4FC67F39E3ACCCFE9564285CBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:43.019{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-41689-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:43.200{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DC844AD0449DE7B3FE1ABD5CA1F2985,SHA256=0A9BAB16D62EC10F3287E4C5A82D94BAD38224F3EF4A2E0FF3B806F849D546FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:44.630{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1312C88A6B34DD6A02F0CFB4FC2F42F7,SHA256=F08F8E4D3C36D157BAC6E96B698F6C62F0E5878C298F8D47AE37975A175817E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:44.455{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=52BCB24AB30369AF60CACF0C1366F0CD,SHA256=4A171D6AD8EE1CAA054BA795913BDC98E532A88B97FE863B284FC30257E7D2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:44.158{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362E7919A60C00F14A73F09D926E4125,SHA256=73AED645F67CCAA26597ED7B3046B75E78E3D039A704A66D6BE7F4AEB6713072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:44.399{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DDDC873378F5EB089E77ECB211B4F8A,SHA256=CD3F8B65D3CBA8A4DC26FD56D3D16765DC676D03BA0F69F8A1640D0D1E7FE637,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:43.210{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59194-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001388911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:43.210{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59194-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001388910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:43.149{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-42305-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:45.645{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A122A6E8C30E2C77347AC8B303186487,SHA256=D4218C6CF873448833C191987AF7E8BE752B95B6B4F227A7733357F5DF3F6017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:45.158{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0737940DA392D0936238A0F0F2A48D50,SHA256=AAEEE0D37EEF34CE116D7CDA3ED74DE0A72396C5653948F013ECDE0F332232D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:45.498{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C26713E88D8747244E7F7DA154105BF,SHA256=F780B5E261B91EE8EAA298BBD10D0F4919728C55F3B2AC830804F59393ECABF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:44.292{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-49735-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:44.286{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-48489-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:46.697{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4688DD7658EDFEA3A7334BB0681348A,SHA256=CF8D2504AAC80C62A69D6B228AF1EB025963657A1B4A00E0CCE15583A9455484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:46.660{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68A9674D1EBCC45DF9A49CAB8385D87,SHA256=F5A77BA257D0CADCC4EDC92FD4E7C76FF6F20AD20A9F1A593FEF744CDCBB1D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:46.174{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B92F6A639C42C913816CE89ED494A0,SHA256=E888DEDF8EBEBFA4C39D776FBBFB74F8B84F4C8BC2296F9B7A12BAFCD0B5BEC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:45.584{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-55464-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:45.439{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-57358-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:47.780{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B46C2A67E1CFE25EF86F50766A9D676B,SHA256=2924A268EEACE7CFD0702219D50DB5687235837261136054AD1D015B64CDC710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:47.677{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=957989B85C07BEE7934F06E8AF255E54,SHA256=3AFF308E1ECD5194B239F213CC9896657780364FF5C377E54CA898B04D6DEB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:47.534{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:47.190{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793BB7137E2B3B5A4E79AF41088CFA7B,SHA256=9853C05E1308CC53CA6C9FD469A876BA822FA7B2BDB110F21897AD8381807430,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:46.589{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-6280-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:46.185{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59195-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001388930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:48.742{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694A71859D0CFC9FE416CAA36251CB7F,SHA256=C6B276D35E2123B1B29A000B27CBE3E938F809E473E5E015877544C2448ACC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:48.206{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54AE06EA5249669EFF6894FEF3FF7C01,SHA256=B00903E7D71BCBC03B36846343CBDBC3E2E0286712C3914ED0EFF34C4F12A6A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:47.727{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-14302-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:46.830{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-3114-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:48.027{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:49.756{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1594ACCD36333571E5BDF536B1A88A80,SHA256=B2AEC5BD82C84323AC2EDC935C3F7A6ECE5B4441F840B1A70D9F03895D3895A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:45.867{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61877-false10.0.1.12-8089- 354300x80000000000000001295332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:45.397{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61876-false10.0.1.12-8000- 23542300x80000000000000001295331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:49.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D153C4F1EF418C85BB888FDB7FA1539,SHA256=3BC14ED0DD6C1767338F9192EA12EB152224DBC511DE54356DDDCD42B8F4EB1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:48.081{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-9591-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:49.157{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=576B4985D9138AE2FC73F9A7DAB32805,SHA256=0AA8EA45F3E7DB242D38978FF0FBEC31EF6974DEA215C82B0A884954B8B5B92D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:50.775{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C34DB680EFBC763453C97CC13912E2,SHA256=7ED8B08A321A4FC86FC3DF725236A022BB13F67B338A269B160B90FF24D349F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:50.237{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC452069C59F83CD49911B8E5B636ED7,SHA256=5F1396B0223DBCCD9B128DE460E3C66ABF3858CFA4E914935A5FF6D3F994E8D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:49.020{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59196-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001388935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:48.833{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-21688-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:50.355{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88E0D0A2C398CE738678E8D628792B2C,SHA256=6C8A06816A9CAB289A02C32540A294D9273DCDC7F06B3505BC661E9421236193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:51.854{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87B710961BBFBC77151CC93FC2E38822,SHA256=4A11DF0D05461E13A275C6C2953F3F259408B9C55DB58EB308C4B564E6DA8A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:51.792{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A01A49A504F74430F789776AB3D7A9,SHA256=1C7963A76F89AB9F8DD943A985779C35D186FD36B28110D340727DFEB0BE4DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:51.253{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A42381EF002271DC73F6B5AC64A611,SHA256=4455E2E0CC36BC844CC3BFC121743361E4A7D905996B12AC9CE8B0ED1651AB2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:50.678{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-23384-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:50.200{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-30829-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:49.395{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-16618-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:52.938{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38D63BE105C4DB566944476CF24A4BFA,SHA256=77CA6131A287852CC1547A33CED4EA7151395AEBDE256997A2BBF7B553919D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:52.838{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B047DCB8DABC5D8942E0AB4D8CDA1446,SHA256=46539E6820588D871A648605265C624D2666FFDEB3E46F4F24F43124C4661D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:52.268{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C761AE045209B832364E7537FA8B5A,SHA256=4B907C63125E980ED5CCEDD90EB02BAE90C798C643763D304D393FAFF3EB1AEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:52.063{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59197-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001388944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:51.924{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-30017-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:51.436{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-39487-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:53.852{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C48AC28D3E9A4AE805B6921B97530C,SHA256=D90119AEA40134786B9EA591054FB281D99F8D14AEFE64989BE6E3EFA9FD2A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:53.284{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A0126BE4992F46D0AD8CC1AADAA07D,SHA256=2B2F37EAD1E0A8C8EF853BA85FAA409A9D9EF341579A50E2AE755B0D1CFB253A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:52.884{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-48922-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:54.870{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8741D7D1FCE434FFFFA804A2DA9E39E,SHA256=9D3741A8D475A4F1DC9BBACCB396418E1AF5CF51CC23E396DBB7B65573B1AF9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:50.569{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61878-false10.0.1.12-8000- 23542300x80000000000000001295338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:54.284{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0137F3515BC8FC78E39D0D7AD75560D,SHA256=3E506220D4FCA2907C1FEC8D59E9ABEC3DCD65F4C87B8A1E5603DC09518AE364,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:53.209{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-36675-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:54.336{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8EDA0315C26B0E017F530C3FEB5FEC3,SHA256=A80C2100F586134FED7B49D16FCD5686361FB420303090F73B850D08ACB9C03E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:55.888{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C79403D73C58AAAB56106B4DA4D580,SHA256=B3B37479B9722CD39F67F6B01D37E70214FCA78436BC8BFE5627A3B0EC5C16F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:55.300{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2C44550CBB833703F6963A6F4DE4CA,SHA256=94FE76ED8A26020C2E3A6ABCA8DFE3679C9A51C5CE706443822A47412AD66701,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:55.380{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-6132-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:54.455{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-43158-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:54.182{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-57602-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:55.451{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B25F42522F5D2B4552F56F6721C0BEEB,SHA256=87C70751E3097EF7B17FA601F712C6B7E732900CCD36FE603EF3F16AAA032F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:56.934{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D5F92B7181F72A8FA48CAD222D1F1F,SHA256=1AC35072D3E8AF0EE2F7245AB7888AAA446198BD24E5156E2424B8EF0A5F2917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:56.300{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C0FD750F1C0665E1C584D0990A3F8F,SHA256=7971850F486EB7433B173D9F787187C1461955573DD4FDD793E8EA76AE4BBB25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:56.534{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02AEFFB0BEACAE6D5CCFC884A6202B12,SHA256=0169085B7E0DB03CCE559A4A5914A86B547C866A693E72AC72A7CCF7B9DD2A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:57.969{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3508910EC6C64F4C209F5B7B874CA1F0,SHA256=7A450FF6FD9C3A26E0CA7126B0DE9D658F19A83B6549D892C39A3F6156C24ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:57.316{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E21904798C08077D20BCB943035A12,SHA256=B9DBDAEACBCDD7CF36B1A63B02D3329992D8EDD213B79CCACB180C8BB3D97F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:57.687{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5990CF39F8785147B56B4DEFDADB4614,SHA256=66AB6F470609238F15B5D293F295B7CA2EFF62C95E18D937E603B9D86CE4818A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:57.143{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001388962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:57.021{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-56453-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:56.480{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-14329-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:55.707{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-49582-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001295343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:58.555{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857B595BCD36BF88199D16026F3A63C2,SHA256=66807D1AA5C3A2840818D6DE9BDC38DEF6BD752A9BB7547AE4578235EE8930C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:58.770{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE17D0C0235C0009D4FBCB7C1E22D2F1,SHA256=D978E322065BEB2A805C5255C17E23CE1E6AD3A3AB9C0F1D6F5992180C97E8E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:58.274{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-4349-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:57.603{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-21630-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:58.149{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=F1BC11A6B1255F8B77555B36B9E91ABA,SHA256=0ECCC09FE68C60146BDE9752DBE1A7AF02F5B378278A865DEA70DB40B051FA11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:58.149{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=97E6AF4E18B547A54A6D644D57505138,SHA256=7A8C9F5DE7DFDD790A483070AD5B396DE30F65EEA475AB78118B3F99E310DFD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:58.149{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=71025B291DD5E590AB44F795D59C9B4B,SHA256=A2EE537C248851B5C4F5646FC56999DE81B425B8F8BFE524A230B696D305B4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:58.149{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=BC6BEF9EB2BAEE2159357ED124421249,SHA256=7E20281E4A8EDCEEA12C1C0316F293DD0350D2A97346E7DC50C2D1DE4F6BAC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:58.149{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=2C53F474CEB43EC26B254E7A2B47E6A7,SHA256=5C7C098A723A4B8F9BBC5504DBEE9E1058A9F891D2049995976A711E06773D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:58.149{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=30DD0FB14B8D3C95CF2B6668E4A167AF,SHA256=4EDCE52925B57F984DA595B43C149D48DA903B755A977F90D5BA775187C5D18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:58.149{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=CF81B354DD3E049514277DE29C4D0F43,SHA256=7D948E11A843C6EE123B72382809B4B7AA303E6FC9F4BE06937A0E4EDE33C461,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:56.491{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61879-false10.0.1.12-8000- 23542300x80000000000000001295344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:33:59.602{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1E2D22CC8862BE53C0E7A1EEE3BDDC,SHA256=3A6EB799C2D71B1C897F27B948B14B6A788DAAF09003E371DA5B001D331856F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:58.716{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-28789-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:59.033{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6D2154BD53B93B1EEB51E422AD5A1F,SHA256=E1ADAD3A43D327548C977FD52D3A79B667E073F5D31ECDFBBE162339A0C998DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:00.617{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D88C3AFD8593B1B885E90D3C589380E,SHA256=EAB3FAEF0EEDBE6E01B544EEE80E98E7BD972550ACC5BB0D7AFFDBC6D217F141,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:59.810{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-36681-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:33:59.519{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-10877-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:00.166{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912D1B1CA0931493D9F0F97EF0264638,SHA256=982203BF254E6DBD9E2EFBAD280815858E25839661884492F025B1F7F540508F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:00.047{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07533420D00D87A4D5416A893C88DB1D,SHA256=1C7321093C7B4F6703BAFC99783C928858F8B9B2788A956FDD00983E57A6B0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:01.633{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04D728410E69DB97841A3D603D7A8F9,SHA256=EA3D8911957A355B7D82330F5898BAAFE3D0C4E0C272D0559EB1171420FAF792,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:00.816{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-17617-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:01.183{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E45FCB655BC9F85AA4D9758793BDF635,SHA256=873C07B5E0D79A6B2E221D848D5BDA4B7F75CD33C623D17F15B17FA6C6A8D802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:01.183{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C263487A70E05F48E76D9EFBE085AE7,SHA256=B548F463F3FB7FA29C050166445FFA6160EEBAA35437B4CC3EA1435D73C78CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:02.680{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEEDC9296D0919CFC4F891569E56E78C,SHA256=37974780BCD6261405B9F0A55575A25528C736AB9A0AA328BFA57D5B76CCE8B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:02.067{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-24331-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:01.080{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-45561-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:02.230{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CB044C1516C236982C9A55D6F8C99E2,SHA256=2ED6F8590F16D1EF1DDFEE3C5A2419440FD95ABFAAF26033A199772E2BBBC4B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:02.198{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72399026E06FDC0F491F653F46C13F73,SHA256=506F8281375D8592F9564FE197B9F5CA52D806FD000996F49A6204F10A5E380F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:03.899{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8A9B8E78A4BE14214FCE5EA1032F56,SHA256=8E1B05C4E2C228B431CC5D5942863C0F357AD8C115940CE8DA31294E28DA38AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001388995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:03.442{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-1965-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:03.314{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-30693-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:03.169{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001388992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:02.323{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.77-59386-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001388991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:02.257{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-53107-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:03.483{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2BF3C0B7684D28FA301D04401E3F608,SHA256=476FAE3323D7B8D6AEACD590BE7F8E6B73591494F0B3681CEB367F67B3A9A1E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:03.264{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BA695B335F073622B30BE7CD6D8A01,SHA256=6BF662DB318A85768B29455EBEEF27282CE66478301153F7C6D19B4FDB894B3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:04.946{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F608E93640F54FA9796FC3BD4DC835F,SHA256=B8001B332E657D1597A060AA13BD64442E4C8B43F377FE1AF28A03B38569B851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:04.682{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73D9907600D4A2CC5B65B755372FDD91,SHA256=E6E6E6D169392059FA32F61B865A0A7670D066A7F37C79AEDB2CAD75FFAA2765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:04.267{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F12C21C243458D56AC45172DC6A21297,SHA256=213EE41C6FEA2E28614D47B07ACEEAE84B965B6694AFE68DA730420D5D6C8766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:05.962{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF91DDF7932C6AF1B7600C42384E8EE,SHA256=1D290089F36989EE2F69246C03FBD8829E36621024F67C54DE7E1E09D62B26B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001389001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:04.630{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-10218-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:04.569{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-37420-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001388999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:05.812{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B392A5272C8661D2D75C4DDD2FBB673A,SHA256=52C3BD6F7303B47AC61E55E9A0400DA622473E6374E355190B2B201153D76449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001388998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:05.297{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82CDB41A274B0AC532B5580333EAB282,SHA256=8E178CFACE9B79DA66B3B081E3D9CC5BC83CF6FA044E85B7D61010179FB93A42,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:02.496{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61880-false10.0.1.12-8000- 23542300x80000000000000001389004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:06.895{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B06BFE6623F534D195EE4D141BB4C32,SHA256=3E7202667D49D24BE0D955352EF898E176995F7FCDFC7195105AF5AB34ADFE4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001389003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:05.725{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-17441-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001389002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:06.312{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F11C29387ABF5EAE7A890CC17D69438,SHA256=4092E8353AE4C9521DBBBC334E59741F58D306B0BB7E730A281357D81D176905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:07.994{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=674CC3472F3528BD6D539A2BEDC02009,SHA256=F92207327FC6A5FC7C2778F29416FCA2FF4B8A04D3641BBE187531799B47286D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001389008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:07.096{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-50695-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:06.842{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-24727-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:05.848{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-44068-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001389005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:07.326{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7F363E964E274BE1C834B827FDFAD4,SHA256=17983C004E5F2A7EDA1FEC4151E3087356504247F43A52C3A3CAE8FDE09DBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:07.180{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1BDE1B9A0BF57776EDC6A68ADF295A1,SHA256=FF5B5B9383DBDB9AFDADC8766D560C113199FF69A7163F48093B8E3281CCC817,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001389012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:08.170{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59200-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001389011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:07.926{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-32456-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001389010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:08.362{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9260393A95EED026E49F58D7EEC641F2,SHA256=320435C381AD0C2A3ADA2CA8BD8BCF5115DE6FA5D6A4E9CC1BA5032AA3C46B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:08.274{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4025402BDF84F704ACF039A5FF4D1D4D,SHA256=FC0FCAB990FC64976C910E43FF7045CFDD97432FD5F25811CB9CB6926015A68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:09.395{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDD6728983DFDD340B59279AD55A498,SHA256=C64FCA67B652D2CD10E14BDB40010FFEB9553A22EDB329109E1729566FF8C2BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:09.274{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=214BF4EBACF0BB8759F6B2D10FF9585A,SHA256=0D4EA29AAA90229853235B4EF5C9C41BCF1D455CEE36FF0EC99102C5AF10296A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:09.225{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C80F921AF30792A6300461869FC7CB7A,SHA256=A5A851DADFCB378E3F470E10A965B72239D309AD74647CBDE32A8B1C01E5651D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:10.290{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423C87B979B63335BE8F37FEF96544F0,SHA256=E6AF58739903935983B61F7FA069D10249311678ED6FAF3124CE593738302D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.957{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C5C58E068ADC4051F6A59CDD0194F435,SHA256=EB74693CD88B4231A2126DD9DE9EB7A94428C5413B703094170659BA7399D02B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001389039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.863{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E192-6152-F028-00000000FD01}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.863{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-E192-6152-F028-00000000FD01}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001389037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.863{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E192-6152-F028-00000000FD01}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.863{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.863{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.863{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.863{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001389032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.858{5EBD8912-E192-6152-F028-00000000FD01}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001389031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.273{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-48363-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:09.657{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-49081-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:09.617{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-48797-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:09.580{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-4868-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:09.046{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-39574-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001389026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.479{5EBD8912-E192-6152-EF28-00000000FD01}6592852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001389025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.463{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1B971C44D6F6CAB48D88C3EFBE9B148,SHA256=E8A8401A6CF056346965D810D64458F9935142E64C559C2F61ED3410DC9708D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.425{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3950033A1CC3840E2B7B842D71BAC8FE,SHA256=0BFA40B6E3E065E93DE28D8A8B742035BA5F3D471907ECE09F3CE14F0C5125FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001389023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.194{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E192-6152-EF28-00000000FD01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.194{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.194{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.194{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.194{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.194{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-E192-6152-EF28-00000000FD01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001389017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.194{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E192-6152-EF28-00000000FD01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001389016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.195{5EBD8912-E192-6152-EF28-00000000FD01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001389015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:08.341{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-57418-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:11.508{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-56736-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.845{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-10843-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:10.782{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-57097-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001389042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:11.594{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A307F699E23856054F0C0FB8B5171E2,SHA256=8202B30DF7F25E6DE5E359242F877EBF24A02CD521437151FEC22DEAB00CE609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:11.462{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8937A6F9FE2AB90A91D32F2BB5FE89A0,SHA256=D133CA0A192CF458A41D5A7B880CC6934706181C21A456AAC16B98984496202D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:08.371{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61881-false10.0.1.12-8000- 10341000x80000000000000001295371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:11.571{69CF5F33-E193-6152-DBA1-00000000FD01}19802696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:11.353{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E193-6152-DBA1-00000000FD01}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:11.353{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:11.353{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:11.353{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:11.353{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:11.353{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:11.353{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:11.353{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:11.353{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:11.353{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:11.353{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-E193-6152-DBA1-00000000FD01}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001295359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:11.353{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E193-6152-DBA1-00000000FD01}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001295358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:11.338{69CF5F33-E193-6152-DBA1-00000000FD01}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001295357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:11.337{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA688C57CB8554DE30CCEE02639E04E6,SHA256=E7CFF1E6BBE14F734F43EBB374595B9829A223BE11A12648AC514507DAFD61B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.855{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAA9395BEA6DB5BC185F8C70C761D4AB,SHA256=1F1613C84271316256AEC98FB620AA8617694068B889AB50CD9DFC06CE6F71A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.855{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17781C96F7783CC7B77FECD9D8550D74,SHA256=14178AA80672A18A0BB06F5DDC43F412450F74167E4DED3782B5A6510468317E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.855{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47D4E2E8FDEE2EB5B77159BA5A586681,SHA256=DDEA72E0EA4501C4249B08D32D58D288DCC977A3FAD2E6564EF40E6252369A91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001295399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.728{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E194-6152-DDA1-00000000FD01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.728{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.728{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.728{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.728{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.728{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.728{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.728{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.728{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.728{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.728{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-E194-6152-DDA1-00000000FD01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001295388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.728{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E194-6152-DDA1-00000000FD01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001295387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.713{69CF5F33-E194-6152-DDA1-00000000FD01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001389056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:11.871{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-5679dccmfalse10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001389055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:12.677{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9898C9E9AC96ED0250C5C349E9D7D78C,SHA256=8D46110C21137A8E76F019E630BB050A3209000A35D391B4471F7A4A9C841D0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001389054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:12.661{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E194-6152-F128-00000000FD01}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:12.661{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:12.661{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:12.661{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:12.661{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:12.661{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-E194-6152-F128-00000000FD01}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001389048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:12.661{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E194-6152-F128-00000000FD01}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001389047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:12.656{5EBD8912-E194-6152-F128-00000000FD01}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001389046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:12.477{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097D8703DD9F83F21BD8F1F6B56C564B,SHA256=4F2B54E7F2053B440D6BDD9FC7774E95A8E482493B24E7C00F7436C2475EF10D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001295386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.228{69CF5F33-E194-6152-DCA1-00000000FD01}9203040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.040{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E194-6152-DCA1-00000000FD01}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.040{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.040{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.040{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.040{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.040{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.040{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.040{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.040{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.040{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.040{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-E194-6152-DCA1-00000000FD01}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001295374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.040{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E194-6152-DCA1-00000000FD01}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001295373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:12.025{69CF5F33-E194-6152-DCA1-00000000FD01}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001295418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.994{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E516B4F21154902327294364664EC91F,SHA256=E988FFB882DB9ECB89E5A90901E73C35EAF115ED4FC37CF70666B9876C044FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.994{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAA9395BEA6DB5BC185F8C70C761D4AB,SHA256=1F1613C84271316256AEC98FB620AA8617694068B889AB50CD9DFC06CE6F71A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001389073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:13.719{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-13149-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:13.551{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-24871-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:13.264{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59201-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001389070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:12.970{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-12871-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:12.629{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-5779-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:12.094{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-17869-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001389067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:13.777{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3236D53815FF320DAFBB8C113BD91CC,SHA256=7745DA69F18AADFE82C19D7AD77829C503BA62D5795282D5F1F673C40CD75915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:13.608{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12779E440B230FE76D6E30A1EF92FC8C,SHA256=6B48BD1B791173181814AAD1DA600553E099B8AC29EFDEE3F9E43DD7E2866D62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001295416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.603{69CF5F33-E195-6152-DEA1-00000000FD01}29041520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.431{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E195-6152-DEA1-00000000FD01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.431{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-E195-6152-DEA1-00000000FD01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001295413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.415{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E195-6152-DEA1-00000000FD01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.415{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.415{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.415{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.415{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.415{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.415{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.415{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.415{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.415{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001295403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.401{69CF5F33-E195-6152-DEA1-00000000FD01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001389065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:13.539{5EBD8912-E195-6152-F228-00000000FD01}69806664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:13.324{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E195-6152-F228-00000000FD01}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:13.324{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:13.324{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:13.324{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:13.324{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:13.324{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-E195-6152-F228-00000000FD01}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001389058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:13.324{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E195-6152-F228-00000000FD01}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001389057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:13.324{5EBD8912-E195-6152-F228-00000000FD01}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001389075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:14.108{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-20640-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001389074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:14.609{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0440A52A239FF912B9D2AFA4FCE0ADE,SHA256=4947D18C98FAACA0C8C81D45E4BB810028A4F3D714E6F5059F28EB00E977AA61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001295444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.712{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E196-6152-E0A1-00000000FD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.712{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.712{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.712{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.712{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.712{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.712{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.712{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.712{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.712{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-E196-6152-E0A1-00000000FD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001295434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.712{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.712{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E196-6152-E0A1-00000000FD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001295432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.697{69CF5F33-E196-6152-E0A1-00000000FD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001295431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.025{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E195-6152-DFA1-00000000FD01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.025{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.025{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.025{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.025{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.025{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.025{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.025{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.025{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.025{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-E195-6152-DFA1-00000000FD01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001295421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.025{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:14.025{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E195-6152-DFA1-00000000FD01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001295419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.996{69CF5F33-E195-6152-DFA1-00000000FD01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001295447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:15.134{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2DB4109EBAC0816B964447086576956,SHA256=764ADB2C2ACF6141412E0CAEFBE0C38E31B0240AF0106B429AA058FAEE051A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:15.134{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5EE2D78C2209037D6B38A05A530F70D,SHA256=A08755FDDE8D5666EAFDDE2A55846EBF5ECE979D33F3C154A2593BF3D1C29F3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001295445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:15.087{69CF5F33-E196-6152-E0A1-00000000FD01}39644000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001389077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:15.624{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC451A24FFCF1E4570161AD64413E1C,SHA256=F1E0E8DBD36049AE2FFBC776607BF1F98BE7B23F0C0012B0CE810463E6685547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:15.040{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E8C294EA1E061EA3EA69A24F8D480EB,SHA256=AAA9B1F494275DD6ACFDD3B5A5E24D63BBECA6B06971625351ADECAAEB4D5152,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:13.371{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61882-false10.0.1.12-8000- 23542300x80000000000000001295448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:16.337{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9AB9EBCAA1B891305BB8465137E214,SHA256=2E15630ACFE2582EBAD496E84028471C669DCB264EB0E9BD6356537D84154A8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001389094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:16.759{5EBD8912-E198-6152-F328-00000000FD01}63485456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001389093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:16.641{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D1BD8FE96979F2CBE0DE862E5F3262,SHA256=FAFB7442A2454A6BC1F5C4C7A20960ADC87F5CBB1AF5CB1D5435C34D13E7BEA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001389092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:16.627{5EBD8912-8D2A-6151-9600-00000000FD01}46324848C:\Windows\Explorer.EXE{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8023FC5D8A8)|UNKNOWN(FFFF81461C6A5B48)|UNKNOWN(FFFF81461C6A5CC7)|UNKNOWN(FFFF81461C6A0351)|UNKNOWN(FFFF81461C6A1D1A)|UNKNOWN(FFFF81461C69FFD6)|UNKNOWN(FFFFF8023F975103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001389091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:16.627{5EBD8912-8D2A-6151-9600-00000000FD01}46324848C:\Windows\Explorer.EXE{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8023FC5D8A8)|UNKNOWN(FFFF81461C6A5B48)|UNKNOWN(FFFF81461C6A5CC7)|UNKNOWN(FFFF81461C6A0351)|UNKNOWN(FFFF81461C6A1D1A)|UNKNOWN(FFFF81461C69FFD6)|UNKNOWN(FFFFF8023F975103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001389090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:16.627{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF533fdaf.TMPMD5=B75F25CB252B727E2DCC540CAC552E56,SHA256=96C19E5EE1729DB76022409784B322D8E42CBF29BE3FA29E7901432732AC8434,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001389089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:16.493{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E198-6152-F328-00000000FD01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:16.493{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:16.493{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:16.493{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:16.493{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:16.493{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-E198-6152-F328-00000000FD01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001389083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:16.493{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E198-6152-F328-00000000FD01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001389082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:16.494{5EBD8912-E198-6152-F328-00000000FD01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001389081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:16.277{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E95CC3472B6FB1B98F4CC6A0AA8A6025,SHA256=9DAFA110B741115B9E84226816EBA3CEE22F79F6331C20932EF7E2C0EAD400FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001389080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:15.440{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-30202-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:15.070{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-22325-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:14.878{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-31943-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001295450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:17.509{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2430A43DC2167504CACC1888A33784,SHA256=777CD9132FDA353796EC99BFE5AA557DC73E0595A5FA74B191691915FE7ADCB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:17.663{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1DB60B61A4E7C903FFA8DE01189D84,SHA256=36C56DDF14975D32A1CBCEE7A7AC84078B035FA28674005876653CB08CAAFB3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001389106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:17.610{5EBD8912-8CBF-6151-0D00-00000000FD01}9006692C:\Windows\system32\svchost.exe{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:17.610{5EBD8912-8CBF-6151-0D00-00000000FD01}9006692C:\Windows\system32\svchost.exe{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:17.441{5EBD8912-E199-6152-F428-00000000FD01}67807020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001389103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:17.379{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B87F56E75D173DE96A59F01BEEC058C,SHA256=3E00A38FA3609289B168E338DD9158D8104105BC935EE978A8F89FA9E9847500,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001389102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:17.179{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E199-6152-F428-00000000FD01}6780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:17.179{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:17.179{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:17.179{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:17.179{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:17.179{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-E199-6152-F428-00000000FD01}6780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001389096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:17.179{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E199-6152-F428-00000000FD01}6780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001389095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:17.179{5EBD8912-E199-6152-F428-00000000FD01}6780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001389142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.941{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1548215DB3426EF31648FDCB25A45D0B,SHA256=A91325415DC26DD3C0B071719AF20A3C1B8E84365DE5BA8A9657EDA648486B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:18.627{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABC4C674F86E8D2385FF8971BE95C3D,SHA256=B68DD7977A13D3BD55120A95B37D5F2B567AA1B69A8E30B87B479F3558874E2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001389141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:17.340{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-37820-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:16.700{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-38500-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:16.163{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-29908-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:16.127{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-38601-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001389137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.079{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.979{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-E19B-6152-F528-00000000FD01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.979{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.979{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.979{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.979{5EBD8912-8CBF-6151-0C00-00000000FD01}8446432C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.979{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-E19B-6152-F528-00000000FD01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001389183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.979{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-E19B-6152-F528-00000000FD01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001389182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.980{5EBD8912-E19B-6152-F528-00000000FD01}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001295452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:19.642{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0241F9C627CBD4BB861543ACB885F7B,SHA256=7C57F18758A13280993810DC5542B4CE4293FF7BCA01B0F890755F833A7CD69B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001389181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.691{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-57502-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.614{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-57105-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.535{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-56699-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.458{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-56217-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.391{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-56881-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.380{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-55908-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.352{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-56730-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.319{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-56544-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.304{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-55618-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.295{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-56266-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.265{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001389170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.257{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-56110-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.234{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-55939-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.224{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-55297-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.210{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-55509-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.156{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-55033-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.144{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-54521-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.069{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-54684-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.045{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-54442-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.044{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-54267-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.011{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-54075-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.971{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-53884-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.941{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-53965-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.862{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-53523-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.823{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-48302-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.784{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-53103-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.783{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-48112-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.759{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-47869-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.734{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-47674-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.707{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-52637-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.707{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-47325-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.669{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-47166-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.645{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-46790-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.627{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-52189-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.607{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-46632-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.569{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-45927-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:18.459{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.32-45475-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:17.872{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-46041-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:17.378{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-45438-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001389203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:20.980{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793069EF7703AC44FCD90C2E2F3D5646,SHA256=F5769901B0C7C2D549CC0F827ECD4F8668592130C46CC811FC4BAEA106F4156F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:20.980{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FE5B77477F4807514DF3FE2CD6EF611,SHA256=B14F914029C7752E1CB54A14279A96C86B8D01DBE6CFB8E6AAA24F2004CAAB9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:20.689{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37AD6FBB076B4F08A6048BFE3610762A,SHA256=FF1FA18B4595F01854CDE458A2C91DC19D92212049F3418A84AE2A9124680839,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001389201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:20.555{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-3437-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:20.476{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-2980-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:20.399{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-2541-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:20.323{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-2115-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:20.245{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-1633-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:20.167{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-1159-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:20.088{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-59738-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:20.008{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-59275-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.927{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-58831-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.849{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-58397-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:19.771{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-57936-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001389190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:20.059{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4180B2738127658B3DC2A9C2AAF58E4F,SHA256=D04490BD61AF20E9E2D464E704ED35AA1D2059B17AED481D02665CDE39F6E177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:21.908{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98317C62819CB18D05B3527B7DC5787,SHA256=2A19FFE7BD802C0B112A99FE029B238C92E2BE9C9A5EF7158501B17AC964FB2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:21.994{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE9194C778DE5C134083F600C8687615,SHA256=7A9BFF171D91AE4C00C6E9D8083283107349A8F8E10728D3FE7DC115DFDDE70D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001389204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:20.634{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse91.220.163.140-3842-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001295468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:22.252{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-E19E-6152-E1A1-00000000FD01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:22.252{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:22.252{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:22.252{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:22.252{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:22.252{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:22.252{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:22.252{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:22.252{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:22.252{69CF5F33-7F28-614D-0C00-00000000FD01}720320C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001295458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:22.252{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-E19E-6152-E1A1-00000000FD01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001295457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:22.252{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-E19E-6152-E1A1-00000000FD01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001295456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:22.237{69CF5F33-E19E-6152-E1A1-00000000FD01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001295455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:18.395{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61883-false10.0.1.12-8000- 23542300x80000000000000001295471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:23.330{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C8D617DD640DB0FDBEBCBAE1CDE8806,SHA256=6B52706A2A3C828F41C35DC8AAF4379A638010DC6D605D66BFBBCAFEF5E37132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:23.330{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45FFB3965BE0793B7A0D25F3923B4E29,SHA256=9031D609CF399DD512297A49B50A6A0A0296B1920234F49D996D4FDF71A4116F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:23.143{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11004EB12E3201B9C1BB8A3545B4EB82,SHA256=BDDF88E5F1AA0DEDAD82D1F28ED43DC9977537EFB661EC2909D80DC30F80E2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:23.010{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334CBFBBC4A1ED60E71887BA32F3FF0A,SHA256=A38ADCA56541BCFDBB956A61CB6DB2D68BDC65C93CC416C144923FC6FF967224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:24.252{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9708D3B6B541859DC69E7BF8981A592B,SHA256=C6F68E2E3A46DD6EEA1EBAE303EB3CFFEAC2645E84D4DC9BB0C42D2F100949EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:24.024{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AF571C9C02865E6A4F1850B599CD51,SHA256=7D94BA2014583204433279914994E2F2046033A13FE971BA131B87C871B52E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:25.377{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7943A6689E58F02B34BDB2785F8DC94F,SHA256=02DB3F01941858468E1B0B6C4301D787A293575CC02C72152877AEEF80D7FF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:25.039{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC6C8F23AAF22D0BA1C6717EBBAECBA,SHA256=65FF2739B0D33D450046C21A982756BC1BA8B5708B96533465E92800E019CBD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:26.612{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285452F515A9B490DF4855BEE8A0A2FD,SHA256=BEEF221EDFD3041AD59CD355907024443B09A62E738BDAD7DF921137B84BEF26,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001389210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:25.264{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59203-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001389209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:26.057{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA790D9CDE5BA558E7E5DD64ECFFEC04,SHA256=CCAC58B9B95685399A9E6C9C1EBCF15B3076F028505F6CD44586D347C94C1AFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:27.627{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD3C0C0C313309F266987DD7E458C046,SHA256=1EEAAA30E92A1EF0182602F3C9E089FE0CE04BF604B083CE64F6CA2787655586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:27.075{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70767B3ABCE31ED9E1E6F0A421938E3D,SHA256=ABC4267F9C149E515BD3C5A25EBBFA2AC3E8E02668A2582CBA661FBB333CFCCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:23.504{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61884-false10.0.1.12-8000- 23542300x80000000000000001295478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:28.693{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-5734MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:28.629{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E9E5B2E61142A4F768209B667E3A6F,SHA256=BA8AC11EAFED69BDA24B1800930909F93D40C0BAD99333745AD2FB7085DA0ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:28.090{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4100DF878E250ED5DDD298B065567764,SHA256=2C27E0B74142166870E591ADBA73298691F7B9E3530D021B8661C6E77455BBAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:29.707{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-5735MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:29.643{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14BDC3A41D2285F8949A2964D55765CD,SHA256=3B5E9220C8B38A859159E964B6964D118715DCED2E277E69AB3966B8BFDAEF5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001389215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:28.770{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-51302-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:28.705{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.24.1.102-56452-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001389213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:29.105{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB54A9C714B336022C9D159C95AA1E29,SHA256=C24FA80A08D0E4975F94F3EEE110CB72E983802A78E777E9BFA8761BEB21707B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:30.645{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8510E2B216B1EE47CE1B18CD208CC2,SHA256=37627C0EA345554DDF58EDBE4CA16EC0CAB2DAD137152BA7AC37E745B5A9901E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.120{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AADBA8481333A04E8E88CBB4749A034B,SHA256=5F094CB5899355DBD6258622B7C94FBA4C782D063E9A0D40EABA15F206672B22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:31.660{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC16545A32ACCDF94C6954404F1C0BE0,SHA256=E9D5839F7FC1D87F91BBBCF9A861CA66E0925938370DBFF9DFA780AC04FADECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.906{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-1417MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001389235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.862{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-16851-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.818{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-16560-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.781{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-16383-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.744{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-16154-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.712{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-15962-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.706{5EBD8912-CDB7-6152-8426-00000000FD01}4172C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local59204-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x80000000000000001389229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.705{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52797- 354300x80000000000000001389228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.702{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53920- 354300x80000000000000001389227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.686{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-15666-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.657{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-15562-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.632{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-15438-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.607{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-15209-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.570{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-14974-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.532{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-14707-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.495{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-14526-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.472{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-14245-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.434{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-14074-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.399{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-13925-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001389217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.135{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2DB400E1E57A22D2DD59F53CE3B7F33,SHA256=7ADAB34805BB95B0FDFC029790987F2F7A6F1D303E49B194DA94816B80524C05,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:29.381{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61886-false10.0.1.12-8000- 354300x80000000000000001295487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:29.349{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61885-false10.0.1.14-49672- 354300x80000000000000001295486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:29.030{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com1096-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001295485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:32.661{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BCAF74BE907B32F4F881DF9B54EB122,SHA256=3D64D586AFB91774713E4F5F44A86A2801864B23EFAD4167CC141A708D0F9457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:32.905{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-1418MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:32.420{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FEEFC7E1364DB3260A79C6F7B6EC03,SHA256=1CF6259C7F2D4E73E785A4E2733C6FE799A85804FFE158BFC6E54B7489E2896C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:32.020{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50E6EA3CE8313DE62E9EE7437B338F78,SHA256=3DA6ABCF55E0B22812244057B6B74AD5156CA2E52BCC9C474DE97D12AA0135C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:32.020{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C8D617DD640DB0FDBEBCBAE1CDE8806,SHA256=6B52706A2A3C828F41C35DC8AAF4379A638010DC6D605D66BFBBCAFEF5E37132,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001389261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.586{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-22080-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.546{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-21876-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.523{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-21735-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.500{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-21441-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.466{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-21285-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.444{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-21115-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.421{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-20973-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.397{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-20833-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.375{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-20693-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.352{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-20549-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.329{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-20421-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.305{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-20274-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.282{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-20125-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.259{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59205-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001389247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.259{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-19876-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.221{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-19694-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.198{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-19516-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.170{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-19168-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.124{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-18683-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.029{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-18337-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.005{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-18143-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.980{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-17851-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.946{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-17663-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.922{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-17375-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:30.885{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-17196-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001295489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:33.676{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16667C9D7AA162AA4740FAB1B8D2081F,SHA256=AEE244B97F7141A302B9584A214D0FCEDAC0FD96BC0B613C9AB757924EC1A3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:33.448{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302CBB28D8B4AF68C6CDECE9C9256129,SHA256=889AB2E49F44FD2AE0E66B8760C65AD5FF13E996007B0454D7C671BABFF6E633,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001389275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:32.095{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-25779-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:32.072{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-25469-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:32.051{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54261885-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001389272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:32.031{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-24526-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.979{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-23882-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.889{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-23707-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.861{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-23480-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.802{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-23198-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.704{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-23017-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.656{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-22834-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.633{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-22673-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001389264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:31.609{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-22447-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001295490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:34.692{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0EB12ED890AE4EF8310228C97F479FA,SHA256=17100A50D49D9CFA46BB1CC45D5AEBA2F82D788E03944BDD427C05B475008A89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:34.704{5EBD8912-CDB7-6152-8426-00000000FD01}4172ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\2013MD5=6B596D14510C1B84F7B8F85442FD6471,SHA256=8CC377C588B9B7FD4DC87B90B47B385B4F89DB43D28CE2832DB380C6AAD6819E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:34.473{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B15448D5C2B74663F5E9F091853F49,SHA256=BE9C3916D49F24C51E1DFED546BD5CE5CD385FE98CFEEE0DFE1422F694065D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:35.503{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B2D60A310A462993F1C4776B0E9A98,SHA256=EB2A918DFC38C0F450B81661B3F3DA14133F7E7B7D9DF286F85C2D2D9747F9F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:35.710{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA0D0D7200574961FA4BA8D72A7ECCA,SHA256=3BFE4E126C8569D8C3642C64E73B8678A63544502E0EBB31683052A2A2965735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:36.517{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E6802E9FFCC29B179B34A5375B5467,SHA256=2314EBD3F170B8DA2E9B4B0BAA8C2C43E2AA293CC7CF355C9A5CE74D6072CC3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:36.723{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=315DDBA7A8F6896B3ECFE113877D2679,SHA256=A4A5F41BC189F87F4C2A267BDFF437951071D18D545133573B97A03389A67C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:37.723{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=258FF59F397AD581236641A9EF0615FA,SHA256=B8B9E8E4B67AA6A42B317B365439171B742245825718554B81AEA63BAF3485CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:37.532{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185D9ACAA458900520353E583994D6E4,SHA256=F6396B952F4D5998C00BE321AF4A2ACE301C834E2BA92A6A134F5423378A2A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:38.725{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F932E5B3946922091A482A2B0D9ED647,SHA256=3E765D2D6E60E75B5230A089B0AFEE402870783E3835A22F2E096DE6AAE3F1AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001389283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:38.546{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C100E41575CA6876FFF622EC0119ED,SHA256=3EDE7D679B1C3B49FC681E03131FA368DDB1F351FC2AB9AC935FC088F7C306EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001295494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:34.552{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local61887-false10.0.1.12-8000- 354300x80000000000000001389282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:37.242{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local59206-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001389284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-28 09:34:39.550{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DC310B8E4AEBDD33A5EF29A855A6C7,SHA256=A4AA29EDD252D517C63E59301DB8294DAAA3E253737D5F8801840B6DCC0B5B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001295496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-28 09:34:39.741{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2A8F58174A5AA13B4801D96360F0AB,SHA256=81220560E749EACBC34165ADEC1E540E69558458AF4A6F18FC08E2B6F6E23183,IMPHASH=00000000000000000000000000000000falsetrue